6 Software Patch Management Mistakes
Hackers spent 2021 wreaking havoc by exploiting software vulnerabilities. From the recent Log4Shell exploit—which hackers have leveraged to deploy ransomware, steal emails and more—to the Kaseya ransomware attacks that spread throughout the globe, the damage caused by software exploits has been immense. (Here are summaries and next step checklists for the Log4Shell and the Exchange vulnerabilities.)
Even the Equifax breach—one of the largest in US history that exposed personal data for 143 million people—resulted from an unpatched vulnerability. According to Equifax, criminals exploited an unpatched web application vulnerability for which a patch was released two months prior to the attack. This massive breach could have been avoided if Equifax had promptly patched its software.
How Safe is Your Organization?
All too often, patches are available and not deployed due to time, budget, personnel, or technical issues. According to a survey conducted by the Ponemon Institute, 42% of the respondents that had been breached stated that the cause was a known, unpatched vulnerability for which a patch was available but not applied.
To compound the problem, patch management risks aren’t limited to YOUR environment. Criminals can also leverage unpatched vulnerabilities in your vendors’ environments—and your data is at risk. For example, in December of 2020, Florida Healthy Kids Corporation was informed that due to an unpatched vulnerability in their web hosting provider’s environment, criminals had access to the protected health information for 3.5 million of their applicants. It’s clear that patch management is crucial for your business and that your leadership team should ensure that you have a well thought out plan to minimize your risks.
Technium has the philosophy of tools and systems driving vulnerability and patch management. Our tool, SAARC uses the NESSUS vulnerability management software instrumented to interface with our 24x7 Operations and Security team to drive updates through systems. Your network would already be patched if you worked with Technium.
Avoiding 6 Common Software Patch Management Mistakes
The good (and bad) news is that many software-related hacks could easily have been prevented with proper patch management. Read on to hear about six common software patch management mistakes, and how you can successfully address them and protect your organization.
Mistake #1: Not Knowing What to Patch
Everybody knows to patch your operating systems—but what about those pesky third-party applications, or software deployed by your vendors? As you can see in the example above, one unpatched vulnerability in a vendor’s system can lead to a major breach. The 2020 Ponemon Institute survey also found that over a six-month period, the average organization had a backlog of 57,555 identified, unpatched vulnerabilities. If you calculate that average backlog by the number of vendors with access to your environment, the numbers get scary. How can you reduce these risks?
- Start by maintaining an inventory of your software. This will help you understand the scope of work and the resources you will need.
- Prioritize your software patching based on the level of access to sensitive data, the criticality of the vulnerability, and the risk that it represents.
- Understand and minimize the risk from your suppliers. Read this Supply Chain Security Checklist for tips on how to vet your vendors and reduce this risk.
Utilizing Technium’s proprietary tool, SAARC, the rules can be customized to meet your compliance requirements, but our standard approach is to immediately update software or do so during the next maintenance window for all critical and high vulnerabilities.
Mistake #2: Patching Too Slowly
Many organizations have monthly or bimonthly patching cycles. The problem is that when a critical vulnerability is announced, hackers may actively try to exploit your server within hours or days, not weeks. Other organizations are struggling with resource constraints that cause even longer backlogs for patching. This increases the risk that by the time you patch, you may have already been hacked.
- Discuss ahead of time how to handle critical patches for different software types. Carefully consider the risks of waiting versus the time needed to fully test and deploy a patch.
- Document your standard patch time frames and audit routinely to make sure you are meeting your goals
- Set up automated patch management in order to ensure that your myriad applications are patched consistently and quickly. This can save your organization time and money, as well as reduce your risk of exploitation.
Mistake #3: Ignoring Outdated Software
You may have software on your network that are so outdated that the vendor no longer releases patches—meaning these systems are highly vulnerable to attack. Many organizations throw up their hands and decide there’s nothing they can do. This situation is all too common, particularly in environments when you rely on specialized vendor software. Here are some strategies that can help:
- Track your outdated software in a central asset management database.
- Regularly review the use of these systems and determine whether you can decommission or replace them with more modern software.
- Place outdated operating systems on their own, isolated network segment with very limited traffic. This will reduce the risk of compromise.
Mistake #4: It’s Never a Good Time
Many organizations don’t apply patches regularly because it is difficult (or even impossible) to find a good time to apply patches and restart critical systems. Try these tips:
- Make sure you architect your infrastructure to have redundancy. Ideally, you should be able to reboot a critical system in order to install a patch without impacting the business.
- Prioritize regular patch deployment. If downtime is required, it is better when it is planned, as opposed to an emergency due to a cybersecurity incident.
Technium strongly recommends the use of pre-established weekly maintenance windows. While urgent change is inevitable, having a regular business-approved window will keep a healthy process methodology.
Mistake #5: Fear of “Breaking Something”
Even the most well-tested patch deployments can cause problems, particularly in complex environments. Fear of “breaking something” can cause system administrators to delay patching. You can reduce this challenge if you:
- Develop and implement a software patch test plan whenever possible to increase the likelihood of successful deployment.
- Have a strategy for rolling back patches quickly in the event that a patch impacts system functionality.
Change management is a commitment and a process. Technium can advise on how to implement a proper process to ensure that a sustainable patching at the network and security level can protect your business.
Mistake #6: Not Monitoring Patch Status
Patches don’t always install properly, leading to data breaches, ransomware attacks, and other consequences. Minimize your risk by:
- Routinely checking your systems’ patch status using automated patch management software.
- Ensuring your team is notified of both successful and failed patch deployments.
- Assigning responsibility for following up on failed patch deployments in a timely manner, and regularly auditing this work.
At the network level, Technium implements Monthly Service Reviews for our customers, with facilitated review of all vulnerability information across the entire network stack. This review ensures transparency and trend are prominent and regular.
Patch management is a crucial part of your cybersecurity foundation, and it’s one that frequently gets less attention that it deserves due to time and resource issues. If you need help implementing effective patch management or verifying that critical patches have been correctly applied, Technium and LMG Security can help
This blog is distributed with the permission of LMG Security.
At LMG, our singular focus is on providing outstanding cybersecurity consulting, technical testing, training, and incident response services. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.