By now, security pros everywhere have heard about SAMSAM, the sinister ransomware attack that exploits years-old vulnerabilities in JBoss and has hit hospitals particularly hard. The spread and “success” of SAMSAM shines the spotlight on the well-known infosec problem of prioritizing vulnerability remediation work.
Why JBoss Doesn’t Get Patched
Take the specific case of JBoss, which is often difficult and labor-intensive to patch. Many organizations lack a centralized patching tool for JBoss, and it runs on many different platforms, so it often shows up in unexpected places. And it’s open source, supported by Red Hat, which is a fine company of course, but if you’re not a Red Hat administrator, you’re not signed up for Red Hat’s security bulletins and it’s likely that you’re not used to looking for patches from them either.
Plus, it’s a very real possibility that patching JBoss will initially break something else, so it’s a process that usually requires a number of iterations to complete satisfactorily. Fear of patching anything beyond garden-variety Microsoft vulnerabilities is still a very real thing.
Thus, it’s very easy for overtaxed infrastructure teams to ignore JBoss: It’s a lot of work, it might break something, and there are always seemingly more important things to do, like adding disk space to servers.
Priorities, Cost and Opportunity Cost
I spent about 10 years pushing patches, so I understand. During that period of my career, a project manager would evaluate the dollar value of my vulnerability patching work versus other tasks, based on my hourly rate and opportunity cost. That was all we had to go on. If the math showed I was more valuable doing something else, then pushing patches became a low priority, a task to be done with whatever spare time I had.
How do you juggle JBoss patching against other work? We tried to assign a value to patching based on breach data, using the most recent Verizon DBIR (Data Breach Investigations Report). A breach might cost $150-$200 per record to clean up, so we would look at the number of records on a system and do the math, but we heard all kinds of creative ways to dismiss that analysis.
In other words, due to time and personnel limitations, infrastructure teams are always fighting different priorities. JBoss typically languished at or near the bottom of the priority list.
The Ransomware Equation
Ransomware has changed this picture. Ransomware gives a more precise way to estimate the value of patching, the math is easier, and the final numbers may end up being larger as well.
In corporate environments, we suddenly can attach real-world dollar figures to these attacks. Now it’s the value of other infrastructure tasks that becomes fuzzy. If we know how much SAMSAM attackers are charging to unlock each compromised machine, then an organization can peg an estimated value to patching JBOSS to block SAMSAM, based on the number of devices that could be compromised. This estimate can resonate with special force in organizations with non-segmented flat networks in which SAMSAM can spread and infect the entire network.
The costs associated with a ransomware attack can be up in the hundreds of thousands of dollars — that’s a figure that looks really good on an annual review. If the security department can start handing out numbers like that along with the data to back it up, security very quickly goes from being infrastructure’s biggest annoyance to infrastructure’s best friend.
Protecting Your Systems
The trick is finding the machines with vulnerable versions of JBoss. Here, of course, is where the Qualys Cloud Platform comes in. Qualys Vulnerability Management has about 20 QIDs related to missing patches or misconfigurations of JBoss that can help you identify the remediations needed to protect your systems from SAMSAM-like attacks.
And maybe you don’t have much experience patching JBoss — the only way you get good at patching is through practice.
Qualys shines in finding those instances where a patch was deployed but one file didn’t take, leaving you still vulnerable. It’s bad to be vulnerable and know it, but it’s far worse to be vulnerable and not know it at all.
The Qualys Cloud Platform, which includes Qualys VM and various other security applications, provides continuous security, finding all your global IT assets – whether on premises or in the cloud – discovering their vulnerabilities and helping you prioritize your remediation work with actionable intelligence … because your main problem today may be JBoss and SAMSAM but tomorrow it will be something else.