Overcoming Misreporting Tools: A Case Study on Patch Management in a Teaching Hospital
- Cybersecurity & Privacy - Endpoint Security
- Wearables - Tags & Patches
- Equipment & Machinery
- Healthcare & Hospitals
- Inventory Management
- Tamper Detection
- Cybersecurity Services
A teaching hospital, despite having a diligent IT team that tracked security updates and promptly patched critical issues using industry-leading tools, found itself in a precarious situation. The team was confident that they had patched a critical vulnerability, known as ZeroLogon, months earlier. They even had reports from Qualys and Microsoft DISM, both industry-leading tools, to back up their claim. However, when NodeZero exploited this supposedly patched vulnerability in under a day on several of their Active Directory domain controllers, the IT team insisted it was a false positive. NodeZero, on the other hand, had evidence of a detailed attack chain showing each step taken to get credentials, escalate privileges, and gain administrative rights to Active Directory. This discrepancy led to the hospital reapplying the patch and repeating the NodeZero autonomous pen test.
The customer in this case study is a teaching hospital with a diligent IT team. The team was responsible for tracking security updates to their systems and promptly patching for critical issues using industry-leading tools. They also verified the patches using Microsoft DISM. Despite their diligence, they found themselves facing a critical vulnerability that had supposedly been patched months earlier. The hospital's IT infrastructure included Active Directory domain controllers, which were targeted in the exploit. The hospital also used Qualys and Microsoft DISM for vulnerability management and monitoring.
Upon reapplying the patch and repeating the NodeZero autonomous pen test, the hospital discovered that four servers remained vulnerable. The root cause was identified as a misconfiguration in their endpoint security solution, which had been blocking patches on the domain controllers for the past 18 months. This misconfiguration had not been propagated back to the patch management system, leading their vulnerability management and monitoring tools to incorrectly report a successful patch install. To rectify this, the hospital had to correct the misconfiguration in their endpoint security solution. This allowed the patches to be applied correctly, and the vulnerability was finally addressed. The hospital also had to update their patch management system to ensure that any failures in patch application would be correctly reported back, preventing any future misreporting.