Cybersecurity breaches and the issue with patching; Proprietary or Open? Which is better?

Quite often, we hear cyber breach incidents that happened were due to user carelessness.  Such as indiscriminate clicking of hyperlinks in emails.

Picture from Elite Infoworld

Picture from Elite Infoworld

A commonly heard quandary among IT executives is probably deciding whether to adopt automatic roll-out of ‘security patches’ on software of servers and applications, which can create heavy consequences if bad things happen.

In the world of automation and software deployment efficiency, this commonly heard quandary seems hard to believe.

Isn't it a no-brainer to automate updating of patches and security flaws in computer systems? Many naturally think.

One major faux pas in cybersecurity could be pointed to Equifax, whose web server was hacked in 2017 due to an ‘unintentional lapse’ in IT operations.  The common IT lingo for IT ops in this is known as ‘patch management’ for industry folks.

For those who are not familiar with Equifax, it is a US-based listed company and a credit bureau which provides individual credit report and business credit ratings.  Equifax has around 800 million consumers and close to 90 million business records.

A quick rundown about Equifax cybersecurity incident; the website which Equifax’s web portal was hosted is an open-source web application (app) known as Apache.  It was attacked via a loophole in the web server and hackers made away with its databases containing its customers’ personal details and classified information.

Equifax’s IT team was aware of the vulnerability to their web server and in fact, downloaded the security plugin months before the attack occurred.

But they didn’t install it!

Many then asked the question why Equifax didn’t proceed to roll out the patch, which became the crux of the issue.

Fingers pointed to Equifax’s lackadaisical attitude towards security hygiene.

Some industry watchers I spoke with commented that this was akin to buying a padlock for the front gate of a house, but left the padlock in the car for months before the house got burglarized.

But before you readily heap blames at Equifax IT staff, let’s pause for a moment and ask if, security fixes are simple, easy and straightforward to patch?  This question might not be straightforward for laymen to answer.

In the open-source world of web server software, there are step-by-step instructions provided for web masters and IT administrators to patch up security ‘holes’.

Reporters from USA Today interviewed industry experts and some opined that efforts to roll out patches are not as linear as many might think.

‘The process of patching the flaw isn’t as simple as just downloading a new version of Java. It requires searching the company’s entire portfolio of applications to look for known and newly reported vulnerabilities, then updating to the latest version of those applications. It is then often necessary to rewrite the applications so they match the other software the company is using. Then everything must be retested and redeployed.’

Open-source web server app such as Apache, are free and quite naturally, captures a large percentage of the global market share.  But could such freely distributed app be precisely the reason why it can be tedious to work on when upgrades are concerned?

This brings me to wonder, for as long as I can remember, many IT professionals have argued the merits of open-source against proprietary systems, largely from the perspective that upfront financial cost can be prohibitive for the latter.

In the context of web server software, a clear distinction between Linux-based and Microsoft’s Internet Information Services (IIS), has been in the battlefield for web hosting supremacy in the past two decades.

If the remarks made by an anonymous IT professional to USA Today holds true, would there be a difference then, that proprietary web server app has the advantage when it comes to security fixes?

Some IT professionals I spoke with shared that though Linux-based software is free from a license-charging perspective, it is not exactly free as support cost is levied upon, as an option.

And in this case, wouldn’t the business and operating model between open-source and proprietary app be the key difference?

  • Proprietary software levies a license fee for usage and thus, comes with support which might provide more comprehensive coverage to software vulnerabilities.  And it might be less tedious when patches need to be rolled out

  • Licensed-free software might be less comprehensive when it comes to its hotfixes.  And free software might add to the ‘tediousness’ for IT administrators to manage and maintain.  Even when support cost applies, the integration with other applications working with the base software requires more work

And in view of cyber threats becoming more pervasive, the decision to choose between proprietary and open-source might become more obvious.

What do you think?

Gary Tan