The BlueKeep RDP Vulnerability: Making the Case for Patch Management

Poor patch management can leave an organization vulnerable to a devastating security breach – even without anyone making an obvious mistake like opening a malicious attachment. The CVE-2019-0708 or “BlueKeep” vulnerability in Microsoft’s Remote Desktop Protocol (RDP) is the perfect example.

Microsoft, along with a multitude of security experts across the globe, have directly compared the RDP vulnerability’s potential impact to WannaCry. The ransomware outbreak affected roughly 200,000 victims in 2017, causing hundreds of millions of dollars in damages.

Discovered by the UK’s National Cybersecurity Center in early May, the RDP vulnerability makes it possible for an attacker to take over any device running Windows 7 or older (along with older versions of Windows Server). BlueKeep is wormable, so a single compromised device could quickly infect an entire network, potentially affecting millions of machines all over the world.

Microsoft came out with a fix for the RDP vulnerability on May 14, even taking the unusual step of including the no-longer-supported Windows XP on their patch list. Microsoft rates the severity of the security flaw as 9.8 out of 10, and has urged all affected users running legacy systems to install the patch right away. No one has publicly released an exploit to target BlueKeep yet, but it won’t be long until it appears in the wild.

Has the BlueKeep RDP vulnerability been patched?

Considering how dangerous BlueKeep could be, you might think everyone has already installed the patch – but you’d be wrong.

According to security researcher Rob Graham’s scan for systems affected by the RDP vulnerability, at least 900,000 machines are still unpatched. Some of these devices will be old workstations and non-essential servers that hold no critical data, but many of them are probably in active use at companies across the globe. If your company is running any of these machines, you could soon be in for a world of hurt.

Although BlueKeep is unusually severe, even less critical vulnerabilities can have devastating effects. According to Ponemon’s 2018 Cost of a Data Breach Study, 57% of security breaches are caused by vulnerabilities that could have been patched. Similarly, 34% of those who experienced a breach said they knew about a vulnerability in their systems, but didn’t take proper steps to deal with it in time.

Ask any cyber security professional, and they’ll tell you: patch management should be a top priority for any IT decisionmaker, Data Protection Officer or business executive. So why isn’t this the case?

The reality is that a handful of common problems stand in the way of effective patch management at most companies. More often than not, people know that they should pay more attention to patching – but put it off until it’s too late because of these issues.

Let’s look at some of these problems in more detail. We’ll also show you how solutions like F-Secure Radar and F-Secure Protection Service for Business can help you stay on top of your patch management needs.

Why is patch management so difficult?

Resource Issues

Most IT departments have a lot of responsibilities and can’t focus solely on cyber security. Patching every known vulnerability would eat up a lot of man-hours, especially when hundreds of new security flaws are discovered every year. Not all vulnerabilities are equally serious, so how can you know which patches should have the highest priority?

A turn-key vulnerability management platform like F-Secure Radar can make the task a lot less daunting by creating prioritized reports on the most dangerous vulnerabilities. A serious threat like BlueKeep would be flagged immediately as critical, instead of slipping under your radar – pun intended.

An automated patch management tool like F-Secure Software Updater (included in our endpoint security product F-Secure Protection Service for Business) can add an extra layer of security by making sure all your endpoints are up to date. F-Secure Software Updater scans devices in your network for missing updates, then downloads and installs them automatically. When an automatic process is impossible or undesired, it also allows for manual updates.

In the case of the BlueKeep RDP vulnerability, F-Secure Software Updater started installing Microsoft’s patch on the same day it was released. This effectively minimizes your company’s vulnerability window (the amount of time that exists between the discovery and patching of critical security weaknesses).

Overall, this combination of solutions drastically reduces the man-hours needed for patch management. Threats like BlueKeep or WannaCry are found and dealt with as soon as they’re discovered, saving you time and stress.

Identifying Vulnerabilities

Identifying vulnerabilities is another problem area for many companies. With hundreds – or thousands – of endpoints running different operating systems, keeping track of all the different vulnerabilities, security updates, and system configurations is no simple task.

F-Secure Radar scans and maps every system and application in your network for potential vulnerabilities, such as outdated software, system misconfigurations, noncompliant systems, and open ports. External vulnerabilities are also included – F-Secure Radar identifies shadow IT and maps possible attack vectors on the Internet. It even scans the deep web with our web-crawling technology, uncovering hidden threats such as typosquatting and phishing sites that could damage your brand if left unchecked.

F-Secure Radar also scans your partner businesses for vulnerabilities, which is more important than you might think. Cyber attacks conducted through the supply chain are growing in popularity by the day, and can lead to significant damages: according to Ponemon’s survey conducted in 2018, 56% of organizations had encountered a breach that was caused by one of their vendors.

On another front, third-party applications like Flash and OpenOffice are among the most common attack vectors. F-Secure Software Updater takes the guesswork out of spotting vulnerabilities in popular software by automatically updating Microsoft and more than 2500 other widely-used applications. This is one of the easiest ways to significantly lower the risk of someone using one of your endpoints to breach your IT infrastructure.

Time Pressure

Tight deadlines and looming go-live dates lead to a lot of issues with patch management. It’s easy to tell yourself you’ll install all the patches after you meet your deadline, but one project follows another, and procrastination turns into inaction.

This phenomenon can also be seen with BlueKeep. When Rob Graham scanned the public internet for vulnerable endpoints on both Monday and Wednesday of the same week, he found that only about a thousand machines had been patched across the globe during this interval. It’s most likely that this extremely slow pace continues in the coming weeks, after which the patches stop completely as BlueKeep disappears from the headlines.

Attackers love this. There’s nothing better than identifying a glaring weakness in a target’s network infrastructure and having a common exploit to take advantage of it. Before WannaCry hit companies across the world, the patch that fixed it had been available for several months.

Prioritization and scheduling are common problems, but luckily you don’t have to rely on your own memory and management skills to address them. F-Secure Radar analyzes potential threats and rates them according to severity, letting you know which issues need to be dealt with immediately and which issues are lower priority.

In combination with F-Secure Software Updater, this makes it even easier to meet your deadlines. By automatically updating your most frequently used software, F-Secure Software Updater turns a nagging worry into a non-issue. The software your company uses every day will be up-to-date, and you will be able move forward in your main project without interruptions.

Downtime Worries

Some IT departments put off installing patches because they’re concerned about downtime if they need to reboot critical systems – especially considering that some patches can cause performance problems. In the long run, putting off patch installation causes your system to become out of date, increasing the likelihood of the same performance issues you’re trying to avoid.

F-Secure Radar scans every device to determine how much critical information is stored on that system, how often it is used, and how important a particular update is before assigning a priority rating. This makes it much easier to weigh the risk of a security breach against the possibility of downtime. With F-Secure Software Updater keeping your applications updated and F-Secure Radar looking out for specific threats, you’ll know that none of your time is being wasted on non-essential tasks.

Appliances and Risk Reduction

If your company is using any appliances, you generally won’t be able to service them or make any changes on your own. Even if it isn’t against your service contract with the vendor, the appliance may use customized code. F-Secure Radar’s discovery scans include partner and contractor vulnerabilities, allowing you to find any potential threats to your appliances and alert your vendor. This gives you the option to at least mitigate these threats, if fixing them is not an option for some reason.

The most important aspect of patch management is risk reduction. The vast majority of exploits target the most popular applications for the simple reason that their popularity gives the attacker access to far more systems. Even if you can’t address every possible threat, you can reduce your attack surface significantly by just making sure that your applications are updated consistently on every device used in your company. In combination with F-Secure Radar’s threat scanning capabilities, F-Secure Software Updater makes your company a harder target to hit.

Patch Management is Risk Management

Security breaches are costly in more ways than one. If an unpatched vulnerability like BlueKeep leads to a security breach at your company, the downtime needed to fix the problem will be expensive on its own. The damage to your company’s reputation and the loss of trust from customers and business partners is an even bigger concern.

On top of that, security breaches can result in significant fines under the EU’s General Data Protection Regulation (GDPR) – especially if the EU determines that your company knew about a vulnerability, but chose not to patch it. The GDPR requires companies to not only find and patch any vulnerabilities, but to document the steps they took to protect against a data breach. F-Secure Radar generates the documentation you need to protect yourself from any possible fines by demonstrating that you had a vulnerability management system in place.

With threats like BlueKeep and WannaCry always present on the horizon, patch management is more than just a best practice. It’s risk management, reducing possible losses to your company while saving you time and money.

Request a free demo for our vulnerability management solution F-Secure Radar here:

Request a free trial for our endpoint security suite F-Secure Protection Service for Business here: