Why patch updates are more critical than ever
Since lockdown began, Canadian Society for Cyber Security reported several compromises of computer networks in Canada. These networks were particularly vulnerable due to poor security around remote access services and inadequately protected virtual networks.
Multiple malicious attacks were reported to the Cyber Center across the summer. The attackers gained access to improperly secured servers and network access devices and were able to install malware.
The Problem with Patch Management
With more employees than ever before working from home during 2020, cyber attackers have had a huge opportunity to gain access to critical data. Many rely on poor end user security practices but a huge number of vulnerabilities are exploited by out of date software.
Patching is one of the biggest security challenges for organizations. As we discuss throughout this post, unpatched vulnerabilities are one of the main reasons for why organizations are compromised, according to 60% of breach victims in 2019.
Although hackers can target Microsoft Applications or poorly patched SaaS programs, they are also taking advantage of lesser used programs such as NotePad. Why? This is because they know the program is low priority on an organization’s task list. This simple error could allow an attacker to take control of an entire system if the user has administrative rights.
So why is Patching such a huge task for security teams to tackle?
1. Backward compatibility
Backward compatibility is a massive issue where organizations have failed to run compatibility tests for existing infrastructure before installing a new application. This means that when the patch arrives, additional work or hardware needs to be invested in to allow that patch to run. The time and money involved with this means it tends to fall down the priority list. Relying on enterprise grade hardware appliances to protect the application from a network layer was usually the solution to this. However, now that people are working from home with basic standards of security hardware, this is getting increasingly dangerous to rely on. People are not only working on their work-issued machines but they are using a whole range of different devices/wireless routers. This presents a huge problem to any IT team.
2. A BIG task
Patching takes a lot of time and money. It’s repetitive, dare we say boring and unrewarding. Repetitive tasks performed by people are more likely to contain mistakes or be missed leaving you vulnerable for an attack. It’s also necessary to test patch updates before rolling them out but again, the time and money involved often means the task is left off the priority list.
3. Potential Downtime
Patching introduces risk to the organization in terms of downtime. Sometimes a patch update can break something vital which couldn’t be foreseen. A break results in downtime. Sometimes this presents a bit of a pain but it could also ironically cause as much impact as a large scale cyber attack. Critical systems can be down and may require a huge amount of resource to fix - not to mention all the money lost during that time.
4. Requires a clear view on the estate
You can only patch an application if you know it exists, and what state it's in now. And it's hard to maintain accurate, up-to-date asset inventories across larger IT estates. With the growing use of shadow IT across organizations and unprotected home based devices, this presents a problem.
Making a better patching plan
52% of organizations have a manual patching procedure instead of an automated one. There are plenty of tools to assist automating upgrades and vulnerability management.
Most organizations perform a vulnerability assessment of their entire estate on a monthly basis. New vulnerabilities are alerted on regularly and many software vendors will release updates on a monthly basis (such as Microsoft's monthly 'Patch Tuesday').
Automated vulnerability assessment systems
While patch statuses can be collected using software asset management suites, you should use an automated vulnerability assessment system (VAS) to identify weaknesses across your organization's IT estate.
VASs will perform actions against a target system and then analyze the returned data against signatures of known vulnerabilities. You should test systems both internally and externally to confirm maximum coverage.
Of course, all businesses are different and your organization will have its own personal threats. For starters, we have suggested some guidelines on what issues should be fixed first below.
Priority 1: Fix Internet services and off-the-shelf web applications that can be exploited automatically across the Internet with no user interaction.
Priority 2: Fix bespoke web applications that can be exploited across the Internet with no user interaction.
Priority 3: Fix applications that can be exploited across the Internet with minimal user interaction.
Don’t forget to protect data!
As you perform patch management, it is critical that you are backing up your data in case you experience an issue that could cause downtime. You can then roll back automatically to your last snapshot to ensure nothing gets lost. If your patch update does cause some breaks within your system, you can then review the cause/requirements with the vendor to find a safer way to implement the patch.
Likewise, having a clear business continuity plan to help employees continue to work during any downtime is vital. Although a Disaster Recovery plan doesn’t protect you against security breaches, it definitely allows for BAU whilst you have been compromised.
Your approach to patching will depend on what your organization does, how you approach security, and how much you have to spend.
Patch management is far easier said than done, and security teams may often be forced into prioritizing fixes for business-critical systems over lesser used applications. This gives attackers an easy back door into the estate. With the growing number of cyber attacks and more and more access points to keep on top of, it may be worthwhile enlisting the help of a Managed Security Services Provider (MSSP).
Not sure where to start? HostedBizz's security solutions are a cost-effective way to keep hackers at bay while ensuring your IT infrastructure is monitored 24/7 for potential threats.
Get in touch - we're here to help!