The importance of software patching for enterprises cannot be underestimated and it has been a well-established responsibility for IT organizations for many years. But with the increasing interest in cyber insurance lately, the security and IT practices in general (and software patching in particular) are being brought into the spotlight again.
Given that the changes in the threat landscape are accelerating (e.g. threat actors are evolving, methods of attack deployed are constantly changing) the risks of losses from cyber incidents for companies are constantly getting higher. So what should enterprises be doing to protect themselves?
Security in the IT world is a huge topic and there is a lot of wisdom on how to establish and maintain the security posture for enterprises, but let us focus on one aspect of it - software patching.
Any sufficiently complex piece of software - from Operating Systems that power our smartphones, tablets, laptops and servers to various business apps on all of those devices - has defects in it. Some of those defects are minor and hardly noticeable (like a typo in the UI or a misaligned OK button), while some may lead to severe vulnerabilities. The challenge with those high-risk defects is that not all of them are even known to software vendors when they ship their products and services to the public. When they learn about such bugs - either by finding them internally or by them being reported externally - the vast majority of vendors release an update to their software in order to address newly discovered issues. Those updates are often called “patches”, since they’re essentially a bandaid over the “cut” or “wound” in the software product which can be used by malicious actors to gain access to the data that software handles.
Applying those updates is what IT and Security teams are responsible for as part of managing cyber risks in enterprises. But there are a number of challenges that either complicate this job or extend the timing of it - here are to name a few:
- The diversity of software vendors that organizations have to deal with. For example, managing patches from a dozen vendors is simpler and faster than having to do so for 50 or 100.
- Diversification of devices where patches need to be applied - mobile devices, Bring Your Own Device (BYOD), cloud infrastructure - increases the number of different updates to be managed since each device may require different patches.
- Organizational boundaries and silos between Information Security and IT Operations teams, especially in large companies, may add communication issues when InfoSec needs to review, analyze and prioritize newly-discovered threats and vulnerabilities and only then pass their findings onto IT Operations team for rolling out updates.
- Connectivity of the mobile workforce may be spotty and won’t provide enough time or bandwidth to download necessary updates in time.
As you can see, it’s rather hard for enterprises to keep the software of their IT fleet updated in a timely fashion to prevent malicious actors from exploiting known vulnerabilities.iming is important here to minimize the window of opportunity for a cyber attack.
However, it does not always have to be a race against time, since for the majority of cases software patching can and should be considered a hygiene of the IT environment rather than a firefighting operation. The more rigorous and consistent an organization is in following internal procedures and best practices on security, the healthier an IT infrastructure is. Much like with health hygiene, it is easier and cheaper to prevent the problem than recover from it.
For example, an Equifax data breach in July of 2017 affected nearly 150 million Americans whose personal data was compromised. It could have been easily prevented because the vulnerability which was exploited in that attack was well known several months before the breach happened and there were simple steps to address it. Another example is the WannaCry and NotPetya attacks in May-June of 2017 that caused significant impact to a large number of organizations and businesses (measured in hundreds of millions of US dollars) across the world by impacting over 300,000 computers. Both of those attacks have exploited the known vulnerability in Microsoft operating system allowing attackers to execute the malicious code on a remote computer, even though the patch from Microsoft was available a couple of months earlier.
It is becoming increasingly clear that maintaining patch hygiene in enterprises is one of the most effective mechanisms to minimize the risk of cyber incidents to happen. But besides patching, what else should companies be doing to protect themselves and reduce the risk of cyber attacks against them being successful?
In my opinion, in addition to following best practices and internal IT and InfoSec policies on patching, companies need to:
- Invest in employee education to improve the awareness and culture of security hygiene (which is helpful for any individual both in their professional and personal life)
- Make sure that technology choices, business processes and organizational structures facilitate the communication and agreements for different functions within enterprises to do their job of keeping IT assets, as well as sensitive information, safe and secure.
I recently conducted a video interview highlighting the value of patching. You can access that video at cybcube.com
"Maintaining patch hygiene in enterprises is one of the most effective mechanisms to minimize the risk of cyber incidents to happen"