Overcoming Misreporting Tools: A Case Study on Patch Management in a Teaching Hospital

The customer in this case study is a teaching hospital with a diligent IT team. The team was responsible for tracking security updates to their systems and promptly patching for critical issues using industry-leading tools. They also verified the patches using Microsoft DISM. Despite their diligence, they found themselves facing a critical vulnerability that had supposedly been patched months earlier. The hospital's IT infrastructure included Active Directory domain controllers, which were targeted in the exploit. The hospital also used Qualys and Microsoft DISM for vulnerability management and monitoring.

A teaching hospital, despite having a diligent IT team that tracked security updates and promptly patched critical issues using industry-leading tools, found itself in a precarious situation. The team was confident that they had patched a critical vulnerability, known as ZeroLogon, months earlier. They even had reports from Qualys and Microsoft DISM, both industry-leading tools, to back up their claim. However, when NodeZero exploited this supposedly patched vulnerability in under a day on several of their Active Directory domain controllers, the IT team insisted it was a false positive. NodeZero, on the other hand, had evidence of a detailed attack chain showing each step taken to get credentials, escalate privileges, and gain administrative rights to Active Directory. This discrepancy led to the hospital reapplying the patch and repeating the NodeZero autonomous pen test.

Upon reapplying the patch and repeating the NodeZero autonomous pen test, the hospital discovered that four servers remained vulnerable. The root cause was identified as a misconfiguration in their endpoint security solution, which had been blocking patches on the domain controllers for the past 18 months. This misconfiguration had not been propagated back to the patch management system, leading their vulnerability management and monitoring tools to incorrectly report a successful patch install. To rectify this, the hospital had to correct the misconfiguration in their endpoint security solution. This allowed the patches to be applied correctly, and the vulnerability was finally addressed. The hospital also had to update their patch management system to ensure that any failures in patch application would be correctly reported back, preventing any future misreporting.

• The operational results of this case study highlight the importance of accurate reporting in patch management systems. The hospital's IT team was diligent in tracking and applying security updates, but a misconfiguration in their endpoint security solution led to patches being blocked and not reported back to the patch management system. This resulted in a critical vulnerability being left unpatched and subsequently exploited. By identifying and rectifying this issue, the hospital not only addressed the immediate vulnerability but also improved their patch management system to prevent similar issues in the future. This case study underscores the need for accurate and reliable reporting in patch management to ensure the security of IT systems.

• Identified and rectified a misconfiguration that had been blocking patches for 18 months.

• Corrected the patch management system to accurately report patch application failures.

• Successfully patched a critical vulnerability, ZeroLogon, that had been exploited.