Patch management: what it is, and why it matters
Amid media coverage of cyber breaches, it’s easy to forget how simple the causes can be. Similarly, it’s easy to forget how simple some of the protection measures can be.
Take patch management – the process of regularly and consistently applying software updates and patches.
This is a critical security precaution that removes many of the vulnerabilities that cyber criminals target. Yet this precaution is not always taken – in some cases leading to serious disruption and financial loss.
Patch management removes many of the vulnerabilities that cyber criminals target.
For example, the Equifax data breach – compromising the personal data of 143 million US and over 400,000 UK citizens – was caused by attackers exploiting an unpatched critical vulnerability (in Apache Struts) to steal data.
A few months earlier, the WannaCry ransomware outbreak successfully targeted unpatched systems. Many other recent ransomware attacks – such as Petya ransomware and Bad Rabbit – also had the capacity to exploit unpatched systems.
A patch is a piece of code that can be applied to software in order to correct issues after it has been installed. Think of it like a replacement of an old car part.
Patches are sometimes necessary because no software is flawless. In fact, the more complex a software program, the more code it contains and the more likely it is that errors will creep in. And as soon as software gets released, there are hackers looking to exploit such vulnerabilities.
As soon as software gets released, there are hackers looking to exploit such vulnerabilities.
Unfortunately, many companies struggle to patch security issues when a fix becomes available. For instance, the Apache Struts vulnerability was disclosed and an update issued in March 2017. Equifax previously said the intrusion into its systems began in mid-May – suggesting the vulnerability may have been left unpatched for at least two months.
By following some simple steps, companies can ensure their operating systems are supported and up to date:
1. Identify all the software used on your systems – not just Microsoft, but also Adobe, Apache and so on.
2. Monitor the release of new patches from vendors (specifically security patches, rather than feature patches).
3. Apply security patches as soon as feasible. The software vendor will often assign a criticality that will help you identify the severity of the issue. This is also useful in prioritisation if you have multiple patches to implement but do not want or cannot deploy them at the same time. If you implement a patch without testing it, however, it could cause an operational issue with your service, so it’s generally best practice to test it first.
4. Deploy vulnerability scanning to ensure the patches have actually been installed.
A look at recent high-profile cyber breaches suggests patch management will only become more critical. In fact, insurers have recently grown particularly sensitive to its importance to cyber companies’ security, and now invariably ask companies seeking cyber insurance about the nature and quality of their patch management.
No company can be 100% safe from cyber breaches. A few simple steps taken in a timely fashion, however, will certainly leave you less exposed.
For more information, please contact Peter Erceg on:
+44 (0)20 7933 2608