Security patching is an integral part of maintaining overall IT infrastructure and mitigating security risks. As soon as a vulnerability appears, cybercriminals begin looking for ways to exploit it. They also know that not every company installs every security patch, and companies will too frequently fail to keep their systems updated and remain vulnerable. To that end, cybercriminals actively probe networks in search of those vulnerable systems, and unfortunately, they’re often successful. Recent reports detail that while some attacks rely on newly discovered exploits, 50 percent of attacks target vulnerabilities reported before 2017. If the exploits frequently used to breach organizations aren’t zero-day attacks, the question remains: What are the contributing factors that lead organizations to neglect their patching, and how can IT teams best set themselves up for security patching success?
The basics of security patching
Security patching is the process of identifying out-of-date software and applying updates to resolve issues and vulnerabilities.
System administrators must also determine which devices—endpoints—on the network are affected by updates and schedule deployments. When possible, they also test patches before deployment to ensure that the patch does not introduce unintended effects. Once admins are assured that the software update is safe to install, they deploy it to all affected endpoints.
Contributing factors of security patching challenges
Though patching is crucial to keep systems secured and up-to-date, there are significant barriers that can stand in the way of that happening.
Not getting the basics
A surprising number of companies have few or no controls–think the basics, like a simple passcode–on mobile devices that access corporate data. Other companies may have a handle on common endpoints, like servers, desktops and mobile devices. But they overlook a kiosk or signage with an embedded PC that’s constantly running and constantly connected to the network, or devices that go forgotten because of IT staff turnover.
It’s difficult to do much else to ensure patches are implemented if the basics aren’t there. Assuming you know that these basics aren’t covered, it’s not out of the realm of possibility for the organization to take care of them. But failing to get them right at all in the first place can be dangerous.
No asset management plan
Asset inventory is not the same as asset management. Even companies that have robust inventory tools in place can lack asset management and good inventory control.
Consider the scenario in which you issue a refreshed laptop to a user who asks to keep the old one for a week or so. Why? Because they want to make sure that all their files have successfully migrated to the refreshed device. That week turns into a month, then into six months. Then somehow, the old endpoint is back on the network, and it’s vulnerable because it hadn’t been patched.
On top of this, third-party patch engines only patch certain current versions of applications. It is critical to know what you have so new full versions can be deployed that are supported by third party patching engines.
If you do not know what software is on these endpoints and the version and end-of-life dates how can you secure them? If you don’t have a good asset management plan in play, these scenarios are repeated which leaves organizations vulnerable.
Many organizations ask their IT support to maintain multiple systems, sometimes with limited budget, and different internal skill-sets. However, if teams are under-resourced to the point of not keeping up with the work of security patching, it can be an issue. Though it’s not unusual for IT staff to be stuck in a reactive mode–just trying hard to maintain systems to keep the business afloat–patching and security can suffer as a result. Selecting a tool that can support these teams without a lot of overhead and with a level of simplicity and reportability is critical for a successful security stance.
Challenges of BYOD and hybrid environments
Asset management for hybrid environments with the complication of bring-your-own-device (BYOD) brings up other challenges. Users who elect to work from personal devices (or insist on working from them) can put the organization and its data at risk. Personally owned devices used for accessing organizational data should be given controls similar to corporate-owned devices.
One major issue of BYOD and hybrid environments is dependence on VPN connectivity. Unfortunately, VPN use across some organizations can be sporadic. If users are remote or hybrid and depend on VPN connectivity for patch management tools to perform, how successful can organizations truly be at applying these patches and software updates?
Evaluate the BYOD pros and cons thoroughly before deciding whether to allow it in your organization.
Growing attack surface
Along with hybrid and BYOD environments, the overall expansion of attack surfaces makes it challenging to keep endpoints updated and patched. Shadow IT, unsecured data movement, device loss and theft, user-installed malicious applications, and asset management during an employee’s lifecycle at a company offers non-traditional entry points for attackers to breach, and another area for teams to monitor. A least privileged model is far more necessary today than ever. The ability to remove and end a user’s administrative or elevated rights, elevating processes and/or applications are critical to minimize this threat.
Lack of testing
An integral part of security patching is testing. Patches are software, and software is imperfect–that’s why it needs patching–so make sure to budget time for testing into your patching regimen. Nobody wants to be responsible for deploying a patch companywide, only for it to have a severe impact on production environments and need to roll updates back. Especially because of a software incompatibility that could have been discovered in the test lab. A lot of products nowadays make set-and-forget or auto apply a priority, removing testing capabilities. While this may sound great, it can open the door to some issues. Make sure to evaluate testing and release management capabilities that will fit you and your auditor’s needs.
Neglecting third-party application patching
Some patches are distributed and applied by an operating system vendor. However, third-party application patches frequently aren’t included. Third-party applications are often essential for a business to continue functioning. This leaves organizations with the decision to either install third-party application patches manually, or invest in patch management software.
Another critical consideration is the reportability of these third-party patches. If you do not have a third-party patching engine and rely on Group Policy to update applications or self-update features are enabled, how do you know if they were successful and current?
The risks of neglecting security patching
Deploying patches is crucial to safeguard organizational data. Organizations that cannot enforce security patching run several risks:
- Financial — Serious data breaches have reached new all-time highs of $4.45 million on average.
- Reputation — When customers, users and business partners learn of a breach, the breached company’s reputation is on the line. Failing to protect user or client information because of a neglected security update makes it hard to maintain trust in an organization.
- Compatibility — Many updates are issued to ensure interoperability with other software products.
- Compliance — Companies that take IT security seriously follow the guidance of organizations like NIST and CISA. Their prospective customers and partners take notice of both compliance and non-compliance with those programs.
- Threat actors — Most of all, patching boosts your security profile and increases your organization’s resilience to cyber threats. It’s the best way to deter threat actors from sowing malware and viruses on your endpoints.
- Job security — As an employee responsible for maintaining endpoints, you are responsible to provide a security model ensuring that your environment is protected from these threat elements.
Measures to enhance security patching
Patching is one facet of an entire IT security landscape. Like all other elements – such as network security, high availability, backup, disaster recovery and endpoint management–its main purpose is to mitigate risk. Though obstacles can get in the way of security patching, further mitigate risk in your organization’s IT environment by examining the following areas of your organization’s patch management process.
Inventory all network-connected devices
A single, unpatched device is all it takes to make an entire network vulnerable. To have a chance at effective patch management, it’s critical to know what computers and devices—including unmanaged or rogue devices—are on a network. No visibility on these devices leaves poorly managed assets at risk, and can stand in the way of the best attempts to bring devices to an acceptable state.
Review your current device management strategy
A device management strategy is crucial to ensure deployed endpoints are secured. Without one, companies lack controls to run scripts, install applications, encrypt and patch devices. The fact that many workplaces no longer require employees to come to the office makes it a bit more complicated to manage devices.
It opens the door to a variety of questions IT teams must ask to ensure bases are covered when it comes to device management. What does the lifecycle of issued endpoints look like? Do operations depend on employees working inside of the organizational firewall? Do devices have and enforce their own perimeters? How are applications distributed? Is identity management and authentication in place? If workers are located around the world, what controls can be put in place to manage their devices? Are you able to remote wipe devise that are lost or stolen by remote workers?
The way organizations need to manage devices has evolved, and so device management strategies must evolve as well.
Evaluate current patch management processes
If patching is so important to organizational security, then why do so many organizations struggle with patching? Part of it is the circumstances surrounding the patch management process, but it may also be a challenge due to the nature of patching itself.
Patch management can be an event-driven, repetitive, task-based process that doesn’t always lend itself well to streamlining. It’s always about the short term, and the sheer volume of patches to deploy can be daunting. Many systematically follow the typical process of discovery, provisioning, establishing line-of-sight, developing a patch schedule, setting up tasks, detecting devices then deploying patches.
Of course IT teams want to automate that process as much as possible, but that approach can be limited if the organization isn’t able or willing to implement patch management best practices, or consider the changes needed to further automate the process.
Policy-driven patch management is intended to help streamline that process. It allows IT teams to set up patching parameters for deployment.
Systems management appliances monitor and perform continuous detection. If a device needs an update, a policy-driven patch management system validates it, the appliance deploys it, verifies the update and refreshes the inventory. If an urgent or critical patch is released, defined policies determine the need and install the patch. The ability to also rollback or remove a patch is also critical, even with the most stringent release strategy not every configuration can be tested.
The importance of timely and efficient patch management becomes even more essential as the digital landscape evolves and attackers develop more sophisticated methods of attack. It is crucial for organizations to reflect on the contributing factors that lead to patches being overlooked, and more importantly, take steps to implement strategies that streamline an efficient security patching process.