Incorporate patch management lifecycle into your security strategy

Today, I will be talking about the necessity of keeping software and network devices patched. Now, I’m sure some of you are familiar with the 2021 Log4J incident which involved the exploitation of an outdated patch. Or the WannaCry attack in 2017 which more than one in four companies are still vulnerable to? These are both examples of outdated software vulnerabilities that were exploited by cybercriminals. Not keeping your software and devices patched can result in a cyber attack on your organisation.

What is patching?

Put simply, patch management is the process of distributing and applying updates to software. These updates or fixes (often referred to as patches) are often necessary to correct errors (often referred to as ‘vulnerabilities’ or ‘bugs’) in software.

Any software is prone to technical vulnerabilities and they are actually quite common. This is why when a vulnerability is discovered after the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that digital assets within your environment are not susceptible to exploitation by cybercriminals.

 

Why is patching important? 

There are a huge number of known vulnerabilities, and these can be exploited unless dealt with effectively. The US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list, currently contains over 150,000 entries!

Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cybercriminals.  Hackers can take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated leading to sophisticated cyber attacks.  When a new patch is released, attackers will quickly identify the underlying vulnerability in the application and release malware to exploit it. Therefore, prompt patching is essential for effective cyber security.

A recent Ponemon Institute survey highlighted the scale of the problem, revealing that almost 60% of breaches suffered by organisations were due to unpatched vulnerabilities. Of these, 56% of companies could have avoided the cyber breach altogether if they had maintained updated patching.

 

How to patch your software and devices

Patch management requires a clear strategy and routine which should be built into your organisation’s overall security strategy to ensure a cost-effective and security-focused process is maintained. To identify vulnerabilities, organisations can make use of a Vulnerability Scanner (VS) such as the vulnerability scanner available on the ARX Platform. The scanner will identify any known vulnerabilities cross-referenced from the National Vulnerability Database. Once a vulnerability has been identified, a remediation solution should be put in place as soon as possible.

Good practice for patching vulnerable software is as follows:

1. Develop an up-to-date inventory of all your production systems: A great place to start here is in the ‘Asset Inventory’ within the ARX platform. Remember, you can’t protect what you don’t know you have. So, start by adding a list of digital assets to gain an informed view of operating systems, version types, domains and IP addresses that exist, along with their geographic locations and organisational “owners.” This is the only way to live monitor assets within your ecosystem. Try to build asset inventory maintenance into your cyber security program. Ensure that the inventory is updated on a monthly or quarterly basis.
2. Devise a plan for standardising systems to the same version type: Although this can take some time and effort, standardising your asset inventory makes patching faster and more efficient in the long run. You’ll want to standardise your assets down to a manageable number so that you can accelerate your remediation process as new patches are released. An example could be running all company devices on Mac OS Monterey V12.0.1.
3. Make a list of all security controls that are in place within your organisation. Keep detailed track of your antivirus, firewalls and vulnerability management tools. It is important to know where these are sitting, which assets are associated with them and what they’re protecting.
4. Classify the risk: In your Asset Inventory, label which assets you consider to be critical to your organisation and prioritise which assets need to be maintained on a more regular basis. (High-value items such as C-Suite devices should be regularly maintained!).
5. Apply the patches: Once you’ve prioritised what needs to be remediated first, start patching to reduce the risk in your environment. You can look into more advanced vulnerability management tools (such as vulnerability scanners) that can offer the ability to automate the time-consuming parts of the patching process.
6. Track your progress by reassessing your assets to ensure patching was successful. If you have access to a vulnerability scanner, always run another scan after patching. 

Patch management best practices

Some best practices to keep in mind when implementing patch management include: 

1. Set clear expectations and hold teams accountable: Leverage organisational agreements, such as service-level agreements. These can help keep teams in check, and ensure that the work of reducing risk is actually being done.
2. Bridge the gap between the IT department and the board room with a common language: Security teams often refer to software errors as a ‘risk,’ whereas IT/DevOps teams may use the term “patch.” Making sure that everyone is on the same page and recognises the importance of patching is key to a successful patch management process.
3. Establish a disaster recovery process: In case your patch management process does fail and causes issues, it’s always a good idea to have a backup plan.

Don’t leave your door wide open!

In summary, patch management is essential to every business in order to maintain a robust and watertight security program. It may seem daunting and complex at first but running with the theme that cyber security is a process, it just takes some planning and careful execution. Leaving systems unpatched is like leaving your front door wide open, you’re asking for trouble!