When we hear of a hack, often it is followed by the words, ‘a vulnerability was exploited’, writes Colin Tankard, pictured, Managing Director of the cyber firm Digital Pathways.
The story goes on to say, that a system had not been patched and that the attacker used this weakness to break in and wreak havoc. Currently, the Log4j is one such vulnerability that is ‘running wild’ and is allowing malicious attackers to execute code remotely on any targeted computer.
Vulnerabilities or improvements in technology are always being discovered and that is why vendors regularly issue updates to plug the gaps. Applying these updates is a process known as ‘patching’, a procedure that closes holes before attackers can use them.
So, patching matters, for more than just security reasons. It ensures you are getting the most from your IT and those systems are working smoothly with users and other organisations. For all these reasons, patching remains the single most important thing you can do to secure your technology and is why applying patches is often described as ‘the basics’.
Your patch management approach needs to include keeping on top of all available patches, knowing what patches are right for what systems, creating and documenting your patch schedule, and thoroughly testing systems after patching is complete.
The key reasons you should focus on patching are:
Security: Hackers are constantly exploring operating systems and services, looking for ways to manipulate and break in, monitor processes, install spyware or, steal data. A piece of software that seems to be secure today might become a security weakness when new information arises. These newly discovered loopholes are called ‘exploits’ and patches remove them.
System availability: By removing coding errors, patches can prevent the system from crashing or hanging. You may not have experienced the error that is being fixed, but it could still damage your system uptime.
Standards compliance: If you need to comply with an industry security standard, such as PCI DSS, Cyber Essentials or ISO2701, you must implement a patch management strategy because it is a basic requirement of most certification standards.
Warranty guarantees: Software providers will refuse to provide support or system guarantees if your company fails to keep up with the latest version of their software. Having out-of-date software can also be an excuse used by your cyber insurance provider not to pay out in the case of a data loss.
System enhancements: Some feature improvements are issued as a patch. These include user experience (UX) enhancements and improved system response or stability, all of which are advantages which would be missed, if the patch is ignored.
Clearly, it is not a good idea to ignore patches, whatever the size of your organisation.
Although patch installation is a relatively straightforward process, there are so many complications that can arise when looking after the infrastructure of an organisation, when each piece of software has its own patch update process. Therefore, it is better to use an automated patch management tool that checks all systems from one platform.
Automated patch management scans all networks, machines and devices, creating an automatic list of any gaps, missing patches, or updates. Unlike a manual process, you do not need to know what you are looking for, unknown risks can be brought to your attention for mitigation. As well as reducing the risk of malware, or hacking attempts, automated patch management also takes workload off IT staff, freeing them up to do more strategic work.
It is good practice to create patch management system policies by first designing a set of rules. These rules outline important operating parameters, such as when the system is available for a patching run.
Your patch management policies need to be coordinated with business practices and system priorities. They will be implemented in the patch management system as a series of profiles and the following six key points should be taken into consideration.
1. Create separate profiles per device type and operating system
The patches you receive will often not apply to all devices because software is closely tied to the operating system. Therefore, you don’t need to patch all systems simultaneously. Creating separate profiles gives you flexibility.
2. Separate out systems that are critical
Patches applied to these programs might require a system reboot which could have a business impact.
3. Create a system restoration policy
Set up a profile for creating a system restore point so that everything can be rolled back to its status before a patch should something go wrong during the patch application process.
4. Create a regular window for patches
Identify a day of the week, and an hour of the day, when there is minimal user activity.
5. Leave gaps in the rollout schedule
If you are likely to apply patches in several policy groups during the same time frame, leave a gap of an hour between the launch times of each. This gives time for each policy group to have completed its updates before the next begins.
6. Ensure that all devices are on the network
You can check in the patch management system what patches need to be applied in the run-up to your weekly patch rollout. Then, ensure all the devices that will be touched by that policy are switched on and connected to the network. This is especially critical for remote workers and their devices.
Patching is a basic technique and is often presented as one of the easiest security measures. But it does have its challenges which is the reason so many hackers look to exploit a poorly patched environment. Staying on top of the process, by using a patch management tool, takes away the basic task of housekeeping. Ultimately, patching is still so foundational to security that having an effective patch management program is worth the effort.
