In early 2019, Pulse Secure released a patch for a VPN server vulnerability.
The company contacted customers by phone, email, in-product alerts, and online notifications to remind them to install the patch, but this past January the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released an alert that said it was seeing “wide exploitation” of the vulnerability.
CISA issued another alert in April about how far attackers were spreading through government and commercial networks after exploiting this vulnerability. Despite these efforts to inform organizations about the threat, some companies failed to patch. In fact, earlier this month a hacker leaked usernames and passwords for more than 900 Pulse Secure VPN servers.
What’s going on here? Why are companies having so much trouble with such a basic part of cybersecurity hygiene, patching?
