VietNamNet Bridge - Domestic organizations, stage agencies and businesses remain passive in handling  security vulnerabilities, which brings high risks to networks, especially servers.

According to Ngo Viet Khoi, an information security expert, former director of Trend Micro Vietnam, 74 percent of cyberattacks succeed right on the first day the flaw becomes known, while it takes 30-45 days on average to release a genuine patch. The interval when systems are most vulnerable is called ‘zero day’.

In general, the process of patch testing, result approval, data backup and installation may last several months or quarters. Meanwhile, the patch update process depends on procedures and policies set up by organizations, and on the systems’ scale. It also depends on the organizations’ stagnation and bureaucracy.

Domestic organizations, stage agencies and businesses remain passive in handling  security vulnerabilities, which brings high risks to networks, especially servers.

The habit of using cracked, unlicensed software and old applications (programmed to run on the operating systems which no longer receive support from the issuers such as Windows XP, Window 7 and Windows Server 2013) also increases the risk of security flaws unable to be patched.

In other cases, the organizations’ policy to not budget for expenses on software and hardware upgrades caused flaws to exist through fiscal years.

Experts have repeatedly warned about the advanced persistent threats (APT), targeting predetermined subjects such as state agencies, enterprises and military, energy and astronaut institutions to steal data. 

The tardiness in vulnerability patching will give golden chances to hackers to implement their plans. 

Also according to Khoi, the information technology activities carried out by government agencies and businesses heavily depend on server or datacenter systems. Patching vulnerabilities on applications and operating systems is specific work, unwanted by administrators.

In many cases, security vulnerabilities are exploited before software providers discover the vulnerabilities. With scanning tools, hackers can quickly find the holes to exploit before official patches are released.

Meanwhile, many Vietnamese agencies and businesses don’t have necessary awareness of information security. They only are equipped with security solutions for one time and invest in updated patches to save money. 

Many agencies don’t handle vulnerabilities even when they are warned about them.

Khoi commented that the ‘patching when and where there is flaw’ puts enterprises and organizations in the ‘passive voice’ in protecting information security. 

He advised information security officers to proactively approach new vulnerability patching method instead of waiting for patches from service providers.

One of the solutions Khoi suggested is the virtual patching, the quick development and implementation of a security policy to prevent an exploitation caused by a newly discovered vulnerability.

With the solution, the zero-day interval would be shortened to several hours or several days. It is advisable in case the official patch has not come or will not come.

Buu Dien