Share this
Microsoft October 2020 Patch Tuesday Fixes & How Cognitive Trust Can Help
by Shivan Mandalam on Oct 20, 2020 8:00:00 AM
Last week, Microsoft released its monthly batch of security updates, which has come to be known as Patch Tuesday, and patched 87 vulnerabilities across a wide range of Microsoft products. The fixes address critical RCE (Remote Code Execution) bugs in windows TCP/IP stack (CVE-2020-16898) and Outlook (CVE-2020-16947).
Just today (October 20), Microsoft had to rush out two additional fixes for RCE vulnerabilities affecting Microsoft Windows Codecs Library ( CVE-2020-17022) and Visual Studio Code (CVE-2020-17023). This presented a major threat, as the updated RCE bugs can allow an attacker to takeover entire Windows systems by targeting these unpatched applications.
Anyone who has ever managed a network knows that patch management can be a painful process. It becomes especially challenging when fixes to critical vulnerabilities cannot be easily applied due to various reasons, including:
- Production systems that can’t be taken offline
- Legacy systems with dependencies that will break if a patch is applied
- Patching itself introduces additional vulnerabilities which require the IT team to roll back the patch level
In addition, compliance issues tend to arise when it comes to patching systems. No matter the reason, when organizations do not patch known vulnerabilities, they’re accepting risks – implicitly or explicitly.
With the recent influx of remote work across the globe, these risks are even greater (this is especially true for CVE’s affecting Windows 10 devices). As more employees access corporate resources and sensitive data from home and other mobile or remote locations, network-based security by itself can’t hold up to these new risks and vulnerabilities.
One way to help IT and security teams tackle a patch management strategy is by implementing a zero-trust network with Elisity Cognitive Trust.
Elisity Cognitive Trust
Elisity Cognitive Trust (ECT) flips the traditional way of managing security on its head. Instead of the traditional “trust but verify” method of managing access to and on a corporate network, ECT works a bit differently, requiring that all traffic, users, applications, hosts, devices, can be authorized only if they have an explicit policy.
Additionally, when an app/device/user/etc. is verified, the trust granted only applies to that one connection. So every time a communication is initiated on a cognitive trust network, the “what” trying to connect must be verified again to ensure that a threat actor hasn’t intercepted the communication, isn’t hiding inside approved controls, or hasn’t dropped malware onto the system.
So what does this have to do with patch management? In a cognitive trust secure network, all systems— servers, applications, databases, hosts, etc.—run on the principle of least privilege. This means that only systems/apps/etc. that require access to another system/app/etc. are configured to send and receive communication to and from other network connections.
In contrast, in a traditional network, there are a lot of un-managed communication pathways. This means that both legitimate applications/services and malicious traffic can communicate over these pathways. With cognitive trust, anything unused or unnecessary is automatically blocked, therefore reducing the scope of what can communicate, or act maliciously. As a result, the probability of an exploit of an un-patched system is also reduced, as fewer resources are talking to it.
Further, an asset profile created for a cognitive trust secure network includes product or device names, versions, CVE information, and patch levels. Meaning that system administrators can be alerted on any patch management issues and make the best decision for the organization. For example, security teams could implement a policy that says, “If a remote user using windows 10 device has CVE-2020-16898 and is not running an appropriate patched version alert on a connection.” With that information in hand, the security team can make the decision to either segment the application until it’s fixed, or accept the risk of not applying the patch.
There’s a strong chance we’ll have another patch Tuesday and another set of RCE bug fixes. While patch management tools can help operationalize patch fixes in the broadly distributed enterprise, these tools cannot keep software from communicating, especially if it is already compromised by malware before patching. Also critical is that patch management is only relevant when a patch exists. How does an organization know and prevent RCE issues before discovery and patching? Cognitive Trust provides combined Zero-Trust Network Architecture (ZTNA) and Software-Defined Perimeter (SDP) capabilities to provide fine-grained access control. This gives security teams a fighting chance at stopping unnecessary risks.
To learn more about adopting Cognitive Trust in your organization, read our how-to blog, 5 Stages to Adopt a “Zero Trust” Networking Model, or see our White Paper: Making Identity the New Perimeter.
Share this
- Blog (30)
- Cybersecurity (13)
- Zero Trust (12)
- Enterprise Security (10)
- Identity (5)
- Elisity (4)
- Enterprise Architecture Security (4)
- Network Security (4)
- Remote Access (4)
- microsegmentation (3)
- Black Hat (2)
- Identity and Access Management (2)
- blogs (2)
- Adaptive Trust (1)
- MITRE (1)
- News (1)
- Software Supply Chain Security (1)
- case study (1)
- cyber resilience (1)
- December 2024 (4)
- November 2024 (5)
- October 2024 (7)
- September 2024 (5)
- August 2024 (3)
- July 2024 (4)
- June 2024 (2)
- April 2024 (3)
- March 2024 (2)
- February 2024 (1)
- January 2024 (3)
- December 2023 (1)
- November 2023 (1)
- October 2023 (2)
- September 2023 (3)
- June 2023 (1)
- May 2023 (3)
- April 2023 (1)
- March 2023 (6)
- February 2023 (4)
- January 2023 (3)
- December 2022 (8)
- November 2022 (3)
- October 2022 (1)
- July 2022 (1)
- May 2022 (1)
- February 2022 (1)
- November 2021 (1)
- August 2021 (1)
- May 2021 (2)
- April 2021 (2)
- March 2021 (3)
- February 2021 (1)
- November 2020 (2)
- October 2020 (1)
- September 2020 (1)
- August 2020 (3)
No Comments Yet
Let us know what you think