When an organization gets breached by malicious actors, it often follows a familiar script. Often the intrusion is the result of someone running unpatched or out-of-date software. One the one hand, given the inertia of a lot of large organizations, it’s easy to see admins taking an “if it ain’t broke, don’t fit it” approach. But as quickly as that excuse comes to mind, the Cassandras can be heard wailing, “Patch all the things!”
For many reasons, organizations can take some time to roll out patches. Especially for mission-critical applications, adequate testing is often needed to ensure nothing breaks in production. So some window needs to be accounted for. If an exploit follows safe disclosure from security researchers, usually this isn’t much of an issue. A patch is released prior to the details of an exploit being published. So even though the severity of the exploit is newly discovered, organizations have had time to get patches out there.
That’s what made a recent patch from Saltstack so problematic. They released two critical patches to their Salt server management platform, but it appears it was already being actively exploited. Even as the patches were being released, attackers appeared to used automated scanning to find vulnerable systems and get entry. This was within 24 hours of the patch being published.
It’s easy to blame complacent IT practices for not patching “all the things.” But these kinds of exploits show that even a militant stance isn’t impervious to malicious actors. Patching software in a timely manner is an essential part of maintaining security. But this instance shows it’s only one part of your security posture.