No Patch Management: United Nations Hack Due To Unpatched Sharepoint

No Patch Management: United Nations Hack Due To Unpatched Sharepoint
patch management

The United Nations was hacked because of an unpatched installation. Get the story here, and then make sure Patch Management is part of your cyber security strategy.

Patching software is one of the least expensive yet effective methods for preventing a cyber security breach or hack. It’s so important that Cyber Security Insurance Companies require that you have a regular patch management policy in order to qualify for their insurance. So it comes as a major surprise that the United Nations decision not to patch their own SharePoint services has led to a breach of several of their Vienna office and other resources. But what’s even more surprising is the fact that the UN did not notify anyone of the breach.

How the UN Was Hacked

Microsoft software is frequently patched not only to improve functionality, but also to close security holes that are discovered after the software is published and used in the field. According to HelpNetSecurity, Microsoft issued patch CVE-2019-0604 in February 2019, but the IT staff at the UN failed to install the patch on its servers. The hack began in July 2019.

This hack was widely known by this time and used frequently to breach other corporate networks. The hack of the UN, which was initially reported by The New Humanitarian, resulted in the hacks of 33 servers in the UN offices in Geneva, three more servers at the UN’s Office of the High Commissioner for Human Rights (OHCHR), and four more servers in the UN office in Geneva. This server count shows how easily a hack can spread from one server within an organization to many others, and the breadth of the damage the hack can create.

According to TNH, a UN Spokesperson said that “The attack resulted in a compromise of core infrastructure components,” and included “systems for user and password management, system controls, and security firewalls.” The report further states that “What data was copied and downloaded elsewhere is unclear.”

And, because the UN is a diplomatic body, it has immunity from legal processes from any country.

How This Hack Could Have Been Prevented

Patching software is among the most basic ways of strengthening corporate (and diplomatic) IT security. But many organizations do not apply patches in a timely or consistent basis for a variety of different reasons.

Awareness: Among them, some companies don’t have in-house IT staff or service agreements with outsourced IT staff. As a result, the organizations may not even know that a security patch was issued, or how to apply it.

Expense: Organizations in this situation may also view patching software as an expense rather than an investment, since they will need to hire someone to do the work for them.

Service Interruptions: Another reason many organizations might not apply patches is that it typically takes the resources offline. When an organization depends on immediate access to software and resources, it’s difficult to find the time to apply the patches.

Number of Patches: Organizations of all sizes could be faced with numerous patches, depending on the number of software systems they use for their business. As a result, the number of patches can be daunting, overwhelming, and too big to tackle.

Compatibility: While some software charges ahead with security fixes, new features, and adoption of new standards, other software remains neglected by its developers, or deprecated entirely, such as Microsoft’s recent cessation of support for Windows 7. As a result, the compatibility of the newly patched software with the older legacy systems could be in jeopardy, causing companies to not apply patches out of fear.

How Patch Management Can Help

At Digital Uppercut, we provide patch management services to our clients. We monitor and automatically install security updates from Microsoft and 60 other 3rd party vendors. We apply patches within days of them being released, often at night or weekends, when resources are at their lowest utilization. This protects you from known threats and gives you access to new features quickly.

And, if your company is required to comply with HIPAA, FINRA, PCI or other security standards, you are required to have an active patch management solution. Similarly, most cyber security insurance policies also require that you have a patch management solution.

Be More Secure Than The United Nations

While the UN may not be required to report data breaches, your organization has no such luxury. That’s why a full suite of cyber security services, as well as the IT services that Digital Uppercut provides can keep your organization’s network running smoothly. If you are not regularly patching and maintaining your organization’s IT infrastructure, call Digital Uppercut. We’ll help you avoid a disastrous situation like the UN is facing. Contact us online or call us today at 818-913-1335.