Upgrade or Get Hacked (When Patch Available)

Did you hear the latest in Cybersecurity news?

  1. No not the news that Pizza Hut was hacked
  2. Not the news Hyatt Hotels were hacked.

BUT only the news that the supposed secure WPA2 Wifi Protocol is actually vulnerable to attacks. Which essentially means all current wifi access points are not secure.

CERT has a list of all the vendors with patches and who are affected.  CERT used to be Computer Emergency Response Team, but today it is at Carnegie Mellon University and still reviews the important vulnerabilities.

So you say…  Big deal another protocol is insecure the researchers say, just because it may be insecure if a person with knowledge can hack this then my wifi is going to be less secure, but what does it really mean?

It means it is another item to patch in a large schedule of patches (with Microsoft Windows, and other software also having to be patched.)

So we have to evaluate the actual risk and impact before allocating resources.

For one the hacker has to be close enough to your wifi station to see if they can hack your communications, this is not a recipe for mass mania. True,  but as usual it is only the high risk areas that have more to worry about. High risk as in protecting Social security numbers, and other PII (Personal Identifiable Information).

So the largest worry we have is that this patch is going to be ignored by most people, thus leaving 50% or more of wifi access points vulnerable to this attack. So the best thing that can happen here is that companies must evaluate their own situation and then make decisions with their resources as to when to patch this problem. It may not be easily hackable and must have proximity to wifi access points.  So in the future a seeming secure protocol is not until patched.

Unfortunately not everyone patches. As we mentioned before, 25% patch within first week,another 25% within first month, an additional 25% within 6 months. And some do not patch at all.


Obviously this is true since there are many ransomware outbreaks and they take advantage of basic patches not applied (vulnerabilities that take advantage of this).

So in the coming months as hackers develop better hacks (programs that take advantage of this vulnerability so the hacker can make money,  only then will the risk go higher and higher. And depending on impact of system affected it might actually get more dangerous for the companies not patching.


So everyone must have a patching regimen. Get going already – get a CISA tester on hand (like US – contact us).


Can We Make Community Immunity(Inoculation) Work in Cybersecurity?

Instead of another post about the dangers of not patching your systems or inadequate configurations(i.e. errors in configs( that ultimately lead to ransomware and computer viruses running amok (or ‘in the wild’)

One ransomware infection “in the wild” means somebody failed to upgrade their machine, failed to have enough protection.

Some viruses try to infect other machines by replicating using email or other methods.

Cisco explains the difference between Viruses, worms, Trojans, and Bots

There are many different classes of bad software trying to infect us.  when 1 machine is badly configured and badly managed it is affecting all of us.

We need an environmental sound policy for all – right? We need clean water, clean air, and clean electric networks – together we can do it.

It has to be everyone including home users, but especially companies that accept credit cards, or store social security numbers and other Personally Identifiable Information (PII).

I recommend that all users step up their Cybersecurity game by doing what is necessary. As  a CISA(certified Information Systems Auditor) certified person I know what must be done and it requires another person double-checking the Information Technology of your company because it is that important.

If 80% of the computers were properly inoculated (something similar to inoculating with flushots every year against the flu) then when a new variant of a trojan/virus comes out it will not propagate as fast as today.  The eventual goal is to get 95%  inoculation and that is where herd immunity comes into play.

My contention is we do not have anywhere near that point now. One estimate is that 50% patch computers  within a month.

As CSOonline states 25% of machines get patched  within the first week, 25% of people patch within first month, and 25% of people patch after first month.

25% do not patch.  So the problem is that we cannot get anywhere near herd immunity with 75% patching within 6 months or so.

We need to change this to most people patch and a small minority does not. Until this happens we will have many problems.

Contact me to discuss your patching regimen.

Upgrade, Patch, and Reboot: No! Too Hard?

How can it be that upgrading software and hardware is too hard? Or is it that the reboot is too hard?

We don’t actually want to reboot do we?

I know some people who deliberately do not reboot their computers until forced to do so by power outage or other dramatic events.

Or is it that a reboot has a small chance of screwing up the balance of the computer? I.e. the registry might become corrupted (example of a registry failure after restart)? This phenomenon happens during faulty (or ‘buggy’) patches. But since we have heard about these things, we think postponing the update (for months) is better.

The solution? Test the patches with a suitable copy by your IT department. So again we run into the problem of resources.  The It department has to have a suitable test machine and has to have the time to test the upgrade with all of the software that you must use.

  1. Accounting
  2. Word/ excel (or Office)
  3. Website software compatibility  (Firefox, Chrome, Iexplorer)
  4. specialized software.

So now what seems like a 30 min job at most turned into several hours.  And remember now it also depends on the other tasks the IT department has. Updating servers are more complex which could take longer to update. This was likely the problem at Equifax where an Apache Struts application was not patched within a short time.  “Learning From Equifax Breach” Sep27 blogpost.

And I don’t know if you noticed but there are patches every month, sometimes more frequently:


Here is an example of a past patch Tuesday (2nd Tuesday of the month) in 2015 on this blog 

A single vulnerability may affect 8 different types of systems, and if you have many of those systems (due to not standardizing) then each system must be tested properly to figure out if the patch will work.

So it is not that the single act of rebooting is the cause of our consternation, rather it is the large testing regime that SHOULD be done. Of course a loose IT department can just wing it and patch without testing. On most months that would be ok, but periodically there will be problems and then a lot of downtime.

So ask yourself is there a lot of unscheduled downtime for different systems? then it may be time to do things differently.  We do not want to be the company that is in the news due to a cybersecurity incident (which may have started due to an insufficient update process).

Contact us for a review of your machines and processes

Learning from Equifax Breach

I wish I could say that this post would be something new – like buy “xyz” product and perform handstands or something and all your problems are solved.

Unfortunately The Equifax breach likely happened due to unpatched systems. As even Equifax itself admitted¹:


So as we discuss this problem many times, how can a company with IT people and Cyber security people possibly miss patching  this kind of a vulnerability?


it is not as if the vulnerability is a minor one. this Apache Struts vulnerability is a severity 10 (on a scale of 1-10) and as I have mentioned before the time after a vulnerability is found the clock is ticking. The hackers try to exploit and companies try to patch the problems as soon as possible to prevent from happening what happened to Equifax. Rapid7² discusses the exploits available and what should be done.  (Solution: upgrade to latest apache-struts)


Somehow the upgrade process and patching of critical pieces of infrastructure is very difficult for organizations and thus they are susceptible to attacks. and will be until we as consumers can push them into fixing things.  How will we know if companies are patching? Someone has to audit them, someone like us (as a Certified Information Systems Auditor) at https://fixvirus.com/

It seems simple to me, but somehow this process of patching highly vulnerable systems is very difficult. And thus it takes time, which the hackers use to try and gain entry. Once the hackers have entry into your systems (evading defenses and taking information) it is a short time to a full fledged breach.


  1. https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
  2. https://www.rapid7.com/db/vulnerabilities/apache-struts-cve-2017-5638

Keep Up on Security News

It is good to keep up on the latest security news so that you can review what vulnerabilities are being created with new bugs.

Keeping up on the latest vulnerabilities allows you to keep the Risk analysis up to date (Risk = likelihood * impact). Because as new events happen, your risk profile changes.

We created Security News Analyzed page for this reason:



We are looking for ways to make this methodology better and more efficient. So that one spends the least amount of time on reviewing the latest news as possible.

On the Security News Analyzed page we have collected 30 top security news websites which allow you to keep up on your technology in your company and homes.


We have redone this site many times, and are in the midst of redoing it again (keep an eye on it in the next couple of months:

Here are some older looks:

7/8/2016 discusses the vulnerability


At this point I was still reviewing many websites for inclusion  (06/2015)