It is only recently that researchers have started digging into business applications such as Oracle EBS and PeopleSoft. They weren’t originally built with security in mind and are typically not covered under traditional IT and security defenses. Considering the critical nature of these applications, securing these applications get tougher when downtime isn’t an option.
Not patching, or delaying, isn’t an option
Attackers don’t bother with zero-day vulnerabilities when they can exploit flaws that have been disclosed publicly. Just because a patch is available doesn’t mean the software has been updated. Consider that the WannaCry ransomware worm easily spread globally because of the number of Windows systems that had not yet been updated with the security update. Security teams are overburdened and under-resourced; they cannot apply physical patches fast enough to stay ahead of the attackers. But these applications need to be updated—they contain too many critical pieces of information to risk having them open to attack.
Sign up for CIO Asia eNewsletters.