There are already quite a number of blogs going into detail about the KRACK, I wont go into detail about the actual vulnerability, feel free to look over the links provided below:
The question I will propose is how in future do we manage getting client devices to apply updates to fix vulnerabilities.
Over the past year we have seen a quite a few client side vulnerabilities, most that wouldn’t have been an issue if the client device was running up to date security patches, WannaCry, KRACK are just two of the latest that come to mind.
I run a large wireless network with most of the client devices being BYOD, and current policy is I can not install software onto the client devices, making MDM hard to manage. Manually advising users (some with limited to know computer knowledge), is quite a headache, and previous vulnerabilities have shown that getting them to install patches is quite hard.
I would like to see the industry take another path, and mandate security patching installations.
Android devices have been shown to be the worst when it comes to applying updates, quite often we need to wait for Google to fix Android, then each manufacturer apply their own patch/update and then followed by carriers OTA deployments meaning time from vulnerability being discovered to patches being sent quite often months apart. That is of course if the end user actually applies it.
What I would like to see is companies like Google, Apple and Microsoft take a lead and apply OS level security patching without the end user (or potentially each manufacturer) being given a chance to say no – unless device is managed via MDM or corporate systems and in that case giving organisations X number of weeks to apply patch inline with their internal patching cycle otherwise the device gets it anyway.
IoT is another area where automatic patching would hugely benefit as a large number of these devices are targeted at end users with little to no understanding of computer security
The biggest advantage with automatic patching (with no user interaction) would be the work load reduction to systems, network and security professionals not having to issue multiple advisories, manually installing patching to systems, or having to check and re-check to ensure that users have actually installed the patches.
These are just my two cents.