The NSA's Shadow Brokers Quandary Prompts Top Solution Providers To Warn Customers About Mobile Device Patching

A series of disclosures involving stolen security tools and top-secret operational methods used by the National Security Agency has enterprise security firms on high alert.

A "zero day" attack against a major mobile device platform is likely imminent now that the Shadow Brokers organization – the mysterious group behind the NSA's security woes – has released information about the Windows and Linux operating systems, according to Andrew Howard of Kudelski Security. 

Howard has urged enterprises to develop an overall strategy around mobile device patching and testing, particularly for devices that aren't company-owned.

"The Shadow Brokers situation is a good reminder that networks and organizations aren't just attacked via phishing," said Howard, who is CTO at the Phoenix, Ariz. solution provider.

[Related: 5 Things Partners Need To Know About New NSA-Related Vulnerabilities]

The New York Times reported Sunday that the Shadow Brokers disclosures, which began in August 2016, have called into question the NSA's ability to protect potent cyberweapons. Officials still do not know whether the NSA is the victim of a hack likely executed by the Russians, an insider’s leak, or both, according to The Times.

Organizations should never allow personally-owned devices to attach carte blanche to the company's secure wireless network, according to Michael Knight of Encore Technology Group.

The best thing end users can do to protect their information in a BYOD-centric environment is adopt web-based solutions so that there's never data residing on the devices themselves, said Knight, president and CTO of the Greenville, S.C.-based solution provider.

If the data needs to reside on the device, Knight said end users should pay close attention to how the apps are being deployed and use techniques such as geofencing to ensure the sanctity of their data. All told, Knight said the client's strategy should be centered around ensuring the sensitive data is not accessible once the user is no longer on the company-owned network.   

The vulnerability patching cycle is problematic for many organizations since it is disruptive to the IT department, according to Sam Curry, chief security officer at Boston-based Cyberreason. Organizations typically find that more patching adds complexity and has a negative impact on their service levels, contracts and customer satisfaction measurements, Curry said.

"The voice of risk is not felt strongly enough in most corporations, which is coming from the security department," Curry said. "It is the guys who cry wolf."     

As the Shadow Brokers breach reveals more data, tools and methodologies used by the NSA, the likelihood of zero day threats increases, Howard said. Companies with slower patching cycles face more risk, but Howard added that patching with minimal or insufficient testing also puts business operations at high risk.

Howard said businesses need to find the right balance of patching as quickly as possible while still maintaining operational security. The responsiveness of end users to new patches varies widely, Howard said, with some businesses applying patches within 15 minutes of receiving them while others wait days, weeks or even months before applying patches.  

End users typically have patching methodologies but too often lack vulnerability assessment methodologies, Knight said. This is often because businesses do not even know what applications are being used in their environment, according to Knight.

"How do you what to patch if you don't know what's vulnerable?" Knight asked.

To patch holistically, Knight said companies need a platform that's capable of measuring applications against known flaws and running and true penetration test against specific applications. Companies usually do an alright job of patching their operating systems and Microsoft-based components, Knight said, but typically fall short when it comes to patching all of their applications.  

Given how easy it is to plug, play and deploy applications, Knight said businesses often come up short when it comes to awareness of and protection around the roughly ten sub-applications that make up a single customer-facing application.

"You need to be aware of what you're actually installing," Knight said.  

Read more articles on: