KRACK Vulnerability

There are already quite a number of blogs going into detail about the KRACK, I wont go into detail about the actual vulnerability, feel free to look over the links provided below:

https://www.krackattacks.com

Andrew von Nagy’s – Revolution WiFI Blog

Twitter #KRACK

The question I will propose is how in future do we manage getting client devices to apply updates to fix vulnerabilities.

Over the past year we have seen a quite a few client side vulnerabilities, most that wouldn’t have been an issue if the client device was running up to date security patches, WannaCry, KRACK are just two of the latest that come to mind.

I run a large wireless network with most of the client devices being BYOD, and current policy is I can not install software onto the client devices, making MDM hard to manage. Manually advising users (some with limited to know computer knowledge), is quite a headache, and previous vulnerabilities have shown that getting them to install patches is quite hard.

download.png

I would like to see the industry take another path, and mandate security patching installations.

Android devices have been shown to be the worst when it comes to applying updates, quite often we need to wait for Google to fix Android, then each manufacturer apply their own patch/update and then followed by carriers OTA deployments meaning time from vulnerability being discovered to patches being sent quite often months apart. That is of course if the end user actually applies it.

What I would like to see is companies like Google, Apple and Microsoft take a lead and apply OS level security patching without the end user (or potentially each manufacturer) being given a chance to say no – unless device is managed via MDM or corporate systems and in that case giving organisations X number of weeks to apply patch inline with their internal patching cycle otherwise the device gets it anyway.

IoT is another area where automatic patching would hugely benefit as a large number of these devices are targeted at end users with little to no understanding of computer security

The biggest advantage with automatic patching (with no user interaction) would be the work load reduction to systems, network and security professionals not having to issue multiple advisories, manually installing patching to systems, or having to check and re-check to ensure that users have actually installed the patches.

These are just my two cents.

Advertisements

2 thoughts on “KRACK Vulnerability

  1. James

    I agree with you only IF the manufacturer separate OS upgrade with security fixes. For example, Apple always bundle their security patches with OS upgrades. Users could suffer important data/documents loss if a forced upgrade/reboot is performed without giving users’ chance to do backup first. Also I would be very upset if my computer reboots in the middle of a stock trading.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s