On Monday morning, the NCSC woke up to something of a frenzy about the impending publication of research that had found weaknesses in the Wi-Fi networks that we previously thought to be secure. It quickly became clear that KRACK (key reinstallation attacks) could affect pretty much all the Wi-Fi devices in homes and offices throughout the world.
As you'd imagine, our technical research teams immediately got to work, trying to understand the potential attacks and the associated impact. We followed-up our initial press statement with some guidance for enterprise, small business and home users, suggesting some immediate steps to protect yourself and your organisation.
One thing that quickly became clear (thanks in part to the detailed research paper and FAQs published by Vanhoef and Piessens) was that once again the answer is to apply security patches, in this case to all wireless devices. It took me back to the earlier WannaCry ransomware attacks that spread like wildfire across the Internet and around enterprise networks. WannaCry didn't infect systems that had already been patched that month, and patching was the most effective mitigation against that ransomware.
Patching is a fact of life in the digital age
Anyone that's ever worked with us at the NCSC will know that we constantly stress the importance of patching. We use the phrases 'aggressive' and 'automatic' patching so often that we sound like a stuck record. However, there are many legitimate reasons why security patches don't get applied. Dr Kami Vaniea from the University of Edinburgh's School of Informatics discussed some of these at CyberUK 2016 (you can read the full paper here), and my colleagues refer to a list of reasons for not patching started by Wendy Nather. This assumption - that patching is difficult and risky - can result in patching being delayed or (in some cases) not done at all.
There are always going to be security vulnerabilities in complex technologies and devices. You may be familiar with the concept of a 'Friday afternoon car', which is a car built in a bit of a rush just before the weekend. So it probably hasn't been made with the same attention to detail as those built earlier in the week. Computers - like cars - are designed and built by humans, so there's a similar concept of 'Friday afternoon code'. As humans, programmers and designers will occasionally make mistakes, and even more occasionally, one of these mistakes will allow an attacker to misuse the technology. This leaves us with having to deal with the likes of KRACK and WannaCry.
There are tools and techniques the security industry has created to help developers write better code, and automatically detect and fix common mistakes. However, developers - being human - will accidentally write vulnerable code, allowing attackers a way in. For the time being, we'll need to use security patches to apply fixes to a lot of the technology in our lives.
Patching needs to be 'business as usual'
Each time one of these 'superstar' bugs hits the headlines, IT departments end up rushing around desperately fixing any systems that have been attacked, and patching everything else. Yes, patching can be difficult, and it's annoying for the people trying to get on with their Internet-connected lives when devices and services need to be restarted to fix them. Wouldn't it be great if everything quietly updated itself - automatically and reliably - at a convenient time?
Some technology already does this. My home laptop and smartphone are automatically updated each month. As far as I can tell, my Wi-Fi router, IoT thermostat and games console all do the same. When KRACK came along, it turned out that my laptop and home router had already patched themselves a few days before. And I knew my smartphone would be patched as part of the next scheduled monthly update. That's not all the technology in my life, but it's a good start.
Things get a bit more complicated at work. Suddenly there's a lot more equipment that needs patching, and much of it has to be done manually which makes it more difficult. Mike H has blogged about the need to update laptop firmware to keep it secure and the challenges and practicalities of actually doing so, and that's just one of the many types of technology that an enterprise has to look after. Instead of having to manually patch, we need to be at a point where devices 'patch themselves' in a way that is both secure and reliable enough for us to not have to worry about it.
So what do I do until then?
There are a few things that you can do now to make your connected life easier:
- Choose devices and software that support easy or automatic security updates.
- Check that a vendor actually releases regular security patches and will commit to doing so for the amount of time you expect to keep the device.
- Configure your devices to automatically apply all security updates to devices rather than leaving a human in the loop who may accidentally forget to deploy an important patch. Audit and monitoring tools can give you confidence that patches are being reliably applied.
- If you use a contracted service provider to manage your IT, make sure the contract includes a shared risk statement so that they are willing to install all security patches when they become available. In doing this you will be accepting the small chance of a patch going wrong.
- If you use public cloud services, confirm that the cloud provider makes a clear commitment to patching their services promptly.
Ensuring that patching becomes business as usual is a big ask, but it's something that we all need to start now if we haven't already. I look forward to the day when users and enterprise administrators don't need to retrospectively react to a new vulnerability like we've seen this week, and instead have confidence that things will just get on and fix themselves.
Cloud Security Research Lead - NCSC