It was recently announced that OneStopParking.com suffered from a data breach exposing customer credit card data. According to the report, the breach occurred due to missing patches in the application’s Joomla install. Apparently the patches caused some problems with the application so they were pushed back. The patches in question were released in September of 2014.
- Implement a patch management program
- Use a web application firewall (WAF) for extended coverage
It is common to come across systems that are not fully patched. Of course there are a multitude of reasons for these scenarios. In this case, the patch caused a problem with the application which means that the developer has to fix their application before the patch can be applied, or not apply the patch at all. All too often the issue with missing patches is that the company just doesn’t have a good patch management process. This is very common when a system uses tools like Joomla or other 3rd party frameworks because they don’t even know updates are available. We are seeing these types of frameworks getting better at alerting the system administrator to the availability of the updates, which is a step forward.
In the case of OneStopParking.com it is nice to hear that they were aware of the patch. That is half of the battle. Unfortunately for them it apparently didn’t play nice with their application so they were not able to install it, ultimately leading to a breach. This example shows that there are risks to any 3rd party frameworks that you use and sometimes you may be at their mercy when it comes to the patches. It can be a difficult decision to determine if the application should continue running unpatched, or be taken offline until everything is working properly.
It is difficult for outsiders to try and determine the risk vs reward in a situation like this. It is a gamble and unfortunately, in this case, one that didn’t pay off. This is a good lesson in patching and 3rd party frameworks. If you are using these frameworks, make sure that you have a way to track what frameworks are in use and what security risks may arise at any given time. Create a plan to test the patches and apply them when appropriate.
If applying a security patch causes an issue, think about alternative methods for protecting that application until the patch can be applied. One option is to install a web application firewall (WAF) in front of the application that can be configured to protect the feature that has the security flaw. While this may not be a permanent solution, it is often recommended for this type of situation.