KACE On the Go: The Impact of Unpatched and Out of Date Software

Welcome. This is KACE on the Go, a vlog series on trending topics and KACE solutions. Are you struggling to keep track of your IT assets and make sure they're updated and secure, even when they're remote? Are you ready for the next cybersecurity attack? Are you leaving your data center behind and moving to the cloud? You're not alone. Welcome to the KACE on the Go vlog. All right. So hey, welcome back to another edition of KACE on the Go. Today, we're going to be talking about the impact of unpatched applications in end-of-life software. And obviously everybody knows that that's a problem, but what we want to explore is maybe some of the things people might not think about as relates to that. So my name is James Rico. I also have Jillian Salamon and Dave Hunter with us. We're all KACE sales engineers. So with that, I'll pitch it over to Jillian. And Jillian, what do you have to say about that? Yeah, so one of the things I love most about my job is the conversations I get to have with such a wide variety of IT departments. The other day, I was speaking with a gentleman, and he is in the higher ed space. And the hospital that is affiliated with the school was actually hit with ransomware. And, unfortunately, this wasn't the first time. So he had mentioned to me that he was out riding his bike, and I think it was, like, extreme bike riding-- ends up in a very bad accident. And just so happens he goes to the ER of the hospital that, at the same time, is having the breach, which I thought was kind of interesting. So he was explaining how all elective surgeries had to be canceled for the day. Any emergency surgeries were actually-- they were shipping those patients out to different hospitals in the area. And yeah, so he did make me laugh. He said that there were nurses that were making rounds to take vitals of the patients, and it was complete mayhem. They didn't know what they were doing because they didn't know how to manually take those vitals. So I think we become so dependent on technology that, when it's not available, our brain doesn't know how to react. But yeah, all of this could have been avoided if he actually just upgraded his virtual environment. Wow. So do you know what the particular breach was that affected them? Yeah I believe it was called ESXiArgs, if I'm pronouncing it correctly. But when I look at the CVE, it's really just-- any customers who were running version 6.7 were vulnerable. And they just needed to upgrade to version 7, and that removed that vulnerability. Wow. Yeah, I think, a lot of times, just patching things is really a good first step into keeping things up to date, obviously. So that's good one. Dave, what about you? What experiences have you had? Yeah, obviously, like Jillian, we talk to different IT groups and people all the time-- different internal skill sets or budgets, and everyone's got some restraints. The one that comes to mind isn't really about patching per se, but it's around just best practices around security and mobility products. So I had something pretty close to home that, when COVID kicked off-- everyone's reactive. I don't think there was any bad actors. Everyone was just trying really hard to keep businesses afloat. So an individual did a bunch of payroll from their mobility device, and this corporation didn't have a mobility tool in place. So whether it was jailbroken or whatever it may have been, and then-- so long story short, there was some malware on a device. And in turn, a large portion of customer, employee data was compromised. So once again, it's something that is avoidable. Company then has to pay for X amount of years of credit or protection and things like that to their employees. Which even still isn't great because that employee could be threatened years away from now, right? But once again, people are trying to just do the right thing, keep the business afloat. So we see that quite a lot, I think, now that companies are trying to loop back around and catch up to what they had to do a couple of years ago. Some of them are paying the price. Yeah. I don't know about you, but when I talk to people, like, if we're talking about patching or whatever, a lot of times, I'll ask them, it's like, hey, do you guys have-- do your employees have mobile devices they access company data with? And almost everybody-- like, I haven't had anybody say no. Like, the second question is, what do you guys-- do you have any controls around it? Do you manage that? And the percentage of people that do is very small. Has that been your experience, also? Yeah. I mean I used to manage production environments before and it's shocking to me that they don't even have basics, like passcode security, on a device that has access to corporate data, at a minimum. So we see that all the time. It's actually very surprising. I'm actually shocked half the time that people in IT keep their jobs half the time when you have a look at their environments and how insecure or out-of-date products are. Yeah. Just thinking, when I'm looking at the issue, I think one of the biggest things I think about is those companies that have a handle on the easy things, like their servers and their Windows desktops. Or maybe, let's say they even do have a mobile device thing. Like, how many of those shops have some kiosk or signage embedded PC hooked to something that is just running all the time and nobody messes with? Or some kind of kiosk device-- one is, with the-- people change jobs so frequently now.