ITB - IT Solutions for the next generation
linkedin logo twitter logo facebook logo google+ logo

To Patch or not to Patch, That is the question.

Thursday, May 10, 2018
To Patch or not to Patch, That is the question.

All software that is developed will have certain technical vulnerabilities, some more severe than others. These vulnerabilities can be exploited by hackers to break into systems and software to deploy Malware which can then be used for a multitude of sins (see our blog on Malware Protection to learn more about the different forms of Malware). If these vulnerabilities aren’t fixed, then an organisation becomes a sitting target for a hacker if its made public.

On the face of it, fixing, or ‘patching’ these vulnerabilities seems like a pretty straightforward task, however, when in Cybersecurity is anything ever ‘straightforward’?

As we’ve spoken about in previous blogs, the bigger the organisation, the more complicated the problem is to address. If you’re rolling out patches to ten machines all running the same software, you won’t have too much of a headache, however, if you’re a business with several thousand endpoints, servers, applications and databases it can become a nightmare to manage. Throw into the mix patching Microsoft Applications and Third party applications across the enterprise and the process can become tedious and repetitive as well as a headache if done manually.

Many organisations can fall into the trap of throwing money at Cybersecurity to fix problems but focusing more on internal procedures and developing a strong Patch Management process can reap as much benefit.

As a Cybersecurity reseller, we don’t advocate ‘selling based on fear’, but there is too much at stake to get patching wrong. Just ask the now ex-CEO at credit firm Experian.

The patching issue at Experian is one every company can learn from. A patch was released to fix a vulnerability in the Apache Struts platform (an opensource web application that is popular with Experian’s corporate clients) in March 2017 however for whatever reason this patch was never rolled out and Experian was hacked 2 months later in May. It was this wide-open vulnerability coupled with a lack of encryption and poor process that led to the breach.

It’s too easy to lay the blame at the door of the person responsible for rolling out this particular patch, however, the issue runs much deeper than that and actually shows a lack of respect for what could happen if an important patch isn’t rolled out.

So, what can we take away from this incident?

The main thing we can learn from this is how important it is to ensure you have a strong process in place for rolling out patches.

Ensure that you have somebody within IT who is responsible for patching, this doesn’t have to be somebody with the sole responsibility of rolling out patches (unless you’re a huge multinational organisation that is) but somebody who’s job has a strong emphasis on managing this particular function.

There may be several people in IT responsible for patching, but somebody should be accountable for ensuring they are rolled out in a timely fashion, effectively and with minimal downtime. Also, have a contingency plan in place to ensure that the process doesn’t fall down if this person isn’t available to manage it.

Ensuring minimal downtime is difficult to achieve, however, there are certain things IT operations can do to roll out patches with minimal fuss. One such thing is to set-up a test environment where any patch updates can be tested before being rolled out in a live production environment. This may take some time to set-up but the ROI will be ten-fold when organisations consider the cost associated with fixing broken systems.

IT should also develop an asset inventory to help ensure that all software and systems are covered when patches are rolled out. If an organisation doesn’t know that a device exists then how can it be patched?

Here at ITB we regularly speak about the fact that humans alone cannot stop cybersecurity threats, and neither can machines, but a combination of both can work well. This also rings true with Patch Management, and there are several platforms available to help make the process of rolling out patches easier for IT teams.

Many tools will help organisations maintain compliance regulations by automatically checking for and offering to deploy critical new patches as they are released although automatically deploying patches isn’t something we would recommend as it can cause issues. Using a Patch Management solution will also help with asset discovery and provide reports on what updates and patches need addressing including the urgency of these.

For a conversation on how we can help you address Patch Management and your processes feel free to call us on 01865 595510.