Even rocket scientists can’t patch correctly

A recent report revealed several serious vulnerabilities in a government satellite system. How these vulnerabilities were racked up shows some very common mistakes companies make with their security. 

An audit of the Joint Polar Satellite System (JPSS), the IT system that gathers data from weather satellites, was conducted by the U.S. Department of Commerce’s Office of the Inspector General.

Several serious security issues were found, including:

  • a two-thirds growth in the number of high-risk vulnerabilities since 2012
  • more than 9,100 high-risk vulnerabilities, including out-of-date software or missing patches, insecurely configured software, or unnecessary user privileges
  • more than 3,600 instances of password policies being violated, and
  • since 2011 maintenance releases to the system were suspended for 344 days to allow for the evaluation of contractor performance and other one-time special projects.

Patches take a back seat

Make no mistake about it, any one of these lapses would be bad. But taken together, it paints a very unflattering picture of the IT security at JPSS. The fact this information is public before the fixes have been made could arguably even put a bigger target on the company’s back. Hackers know that these “high-risk vulnerabilities” include  easy targets.

According to the report:

Vulnerabilities are defined as high-risk if they are relatively easy for attackers to exploit and gain control over system components. If exploited, these vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring. Software used by the JPSS system contains vulnerabilities that have been publicly known for several years. Software tools to exploit several of these vulnerabilities are available on the Internet.

That’s practically gift-wrapping systems for attack.

But even if your company’s vulnerabilities and security practices are nowhere near this bad, that’s not to say you’re immune from the same problems.

Lessons learned

Here are three takeaways from the report you’ll want to put into practice.

  1. It’s never the right (or wrong) time for security. While projects and delays do tend to get in the way of plans, if you’re waiting for the right time to make security changes, you’re not going to find it. There isn’t a perfect time to update systems, catch up on needed security patches or replace outdated software – only “as soon as possible,” or “too late.”
  2. Public disclosures make you vulnerable. Once your organization has the reputation for being slow to react on security, you’ve got big problems. Attackers will try their best to take advantage of this. Better to find and fix problems on your own than have them trumpeted to the world.
  3. Password policies must be followed. A single mistake could be costly. But when thousands of passwords violate policy requirements, your exposure is magnified.

 

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy