Skip to main content

Modernizing patching in response to today’s business landscape

(Image credit: Shutterstock / Golden Sikorka)

For organizations running a variety of different endpoints, there needs to be an up-to-date system in place to regularly manage and ensure vulnerability patching because that is part of a company’s first line of defense against hackers. 

Proper patching procedures are not just a security consideration but can also directly affect operational efficiency. As such, patching should always form part of the foundation of any IT strategy. If departments across the company are operating on different versions of the same software, productivity and efficiency could be adversely affected. 

Costly downtime while any issues are fixed is a risk, so businesses need to ensure a maintainable level of consistency across all software, services and operating systems. 

The vulnerability to cyber-attack is the most dramatic and damaging result of poor patching, as accountants’ firm Bache Brown & Co explained to our team: “As with any business, IT is crucial to our success, and if our business is at risk of a cyber-attack, it can cause severe losses, from reputational damage to downtime disruption…All the main tools we use…rely heavily upon IT, so all of our systems need to be working efficiently and securely otherwise we would not be able to operate as a business.”  

On the security side, proper patching is the first and best defense against unpredictable and potentially severe cyber attacks. While developers work hard to identify and rectify any vulnerability or flaw in the software they provide, a zero-day vulnerability could cause infection of a business’ devices through ransomware or an expensive customer data breach. Zero-day vulnerabilities are unknown computer-software vulnerabilities to those who are mitigating risks, so if hackers discover the vulnerability first, they are able to exploit it.

In the majority of cases, a zero-day is reported or discovered and fixed before hackers can significantly capitalize on it. However, if a patch isn’t implemented at the user end, a fixed zero-day remains unfixed for the user. The original software provider cannot protect a business that doesn’t implement its patches. The infamous Equifax breach a few years ago was caused by a failure to fully apply patches to known vulnerabilities, turning one obscure server into an open door for would-be hackers. 

It is estimated that at least 60 percent of data breaches are caused by known, unpatched security vulnerabilities making proactive patching the best policy in all circumstances. A patch management service offers businesses a specialized team that can proactively organize and manage the patching process. It can provide a clear image of which software and services are vital to the business and improve uptime and security. But is an external specialized team really necessary or should companies just try to manage alone?

Don’t manage alone 

For many businesses, the approach to patching goes no further than policy level. As important as it is to keep all enterprise systems updated, it is often left to individual users to monitor their own devices. Effective oversight and enforcement of this type of approach can be a challenge, especially in larger organizations. Placing the responsibility on employees increases user friction, harms productivity and increases the chance of non-compliance. Many organizations simply struggle to deploy security patches in a timely manner, with over 40 percent of companies taking longer than a week.

In response to the traditional workplace becoming decentralized due to the Covid-19 pandemic and the lockdown landscape, a priority in 2021 is ensuring that patch management is implemented on all remote devices. Coordinating system updates is now more difficult but also more important than ever before.

The key to successful patching is to always implement legitimate patching sources, and those that come direct from the vendor for additional security.  An insecure patching process can offer hackers potential vulnerabilities to exploit and sometimes an insecure patching process can be just as risky as an unpatched system. Supply chain attacks can compromise update sources or generate fake updates that result in users directly downloading malicious software, which they mistakenly believe will keep them secure. 

A prime example of this was the SolarWinds/Orion attack last year. The US-based IT vendor SolarWinds, and its management software Orion, was compromised by probable state-sponsored hackers. Malicious code was inserted into an Orion update, which then infected the systems of many SolarWinds client organizations, including several US government departments, while they underwent routine update procedures. It was a case of causing harm in order to do good.

The 2018 supply chain attack of ‘Magecart’ against British Airways is yet another destructive example of the update process being abused. Magecart takes advantage of failures to manage patching and updating so, in the attack, details of approximately 400,000 customers were stolen and British Airways was fined £20 million by the Information Commissioner for the incident in October 2020. 

On rare occasions, even official patches can introduce new zero-day vulnerabilities, or reintroduce known vulnerabilities. In 2019, Apple inadvertently restored a previously fixed security vulnerability to its iOS system that would allow hackers to completely hijack a user’s device.

Managing the patching process in-house might be tempting, but it often becomes unworkable. The issues and pitfalls faced can affect a business’ security and productivity. Companies not only need to make sure that all relevant endpoints are properly overseen, but they should also remain vigilant against fake patches, supply chain vulnerabilities and even potential security issues from the official patch sources themselves. 

Again, going straight to the vendor can help eliminate any doubt. It’s impractical to leave such responsibility to individual employees. But, automating updates to always accept the latest patch can be difficult to set up effectively and reduces the business’ ability to answer new security threats.

Making patching work

It has become increasingly obvious that as the business, IT and cybersecurity landscapes have all evolved, patching can no longer be an afterthought. However, it remains a complex and difficult process that is too often ignored or mishandled. 

An external patch management service could be the answer though as it allows for a specialized team to not only make sure every endpoint and service complies with the business’ requirements but also monitor new patch releases and check for supply chain vulnerabilities. This type of responsive, proactive and adaptive patch management service is one that enterprises need now and in the future.

Colin Dennis, Technical Operations Manager, CyberGuard Technologies

Colin heads up the Security Operations Centre team and is responsible for maturing CyberGuard’s suite of managed cyber services including penetration testing and advanced detection, threat intelligence and incident response.