Patching: Getting Back to the Basics

‘I Need a Patch for That Day’ was celebrated on May 21. Not only was this the perfect occasion for IT teams and businesses to ensure that their patch management processes were in tip top shape, but it was also an opportunity for CIOs to make sure they implement all the basic (but necessary) cybersecurity practices as well as conduct basic IT health checks. However, there is no time like the present for IT teams to get cracking; research from Malwarebytes has revealed that malicious actors are increasingly targeting businesses over the individual consumer, with detections of cyber-attacks targeted at enterprises increasing by 195% compared to Q1 2018. So, while ‘I Need a Patch for That Day’ should act as a nudge for IT teams to assess their patching, patch management needs to remain a priority all year round.

IT leaders should take notice of this now more than ever as, according to Verizon’s 2019 Data Breach Investigations Report (DBIR), cyber-criminals continue to exploit known vulnerabilities in order to gain access into organizations’ networks. Despite continued high-profile cyber-attacks, such as Arizona Beverages, which were made possible due to unpatched and outdated software, many organizations are still failing to learn from their own and other companies’ mistakes, and aren’t keeping on top of routine patches.

Large strides towards increased endpoint security by patching quickly and comprehensively have been taken, as well as demonstrating compliance with data protection regulations, such as the NIS Directive and the GDPR. However, as high-profile stories show, companies of all sizes are still exposed to vulnerabilities. This is partly because of the complexity of today’s modern IT network; increased endpoints, mobile devices, legacy systems, a growing number of vulnerability disclosures, multiple heterogeneous systems and different update mechanisms all come together to create a perfect storm for IT professionals.

The sheer volume of patches combined with the complexity and scale of a business’ IT infrastructure is certainly a challenge, but, without the necessary technology in place, it can become unmanageable. Over 22,000 new vulnerabilities were disclosed in 2018, with large vendors such as Adobe and Microsoft adding updates every month without fail. It’s no surprise that just 44% of patches were applied within 90 days last year, according to Verizon.

The problem with patching is that it is a tedious process when done manually. Furthermore, organizations often forget that programs and data hosted on virtual servers and in the cloud need to be patched, as well as physical devices. There is certainly a lot to think about to ensure that the job gets done correctly, and therefore organizations need to be automating their patching. This would ensure that systems are continuously scanned for missing patches and automated solutions deploy patches where necessary, without human intervention. Cybersecurity teams would also benefit from this by having more available time to dedicate to more proactive tasks. Real-time reporting would ensure that IT teams remain informed on patching processes, allowing them to easily identify priority patches.  

Unfortunately, no business can be 100% protected purely through patching, and therefore a layered approach to security is necessary. Additional tools such as vulnerability management, privilege access management, application whitelisting and ensuring that regular system back-ups are implemented are also essential. However, organizations must make sure they unify IT operations and invest in solutions that are compatible as a whole, and are able to seamlessly integrate to provide a comprehensive picture of the risk environment.

While the cyber-threat landscape is constantly evolving, malicious actors will always look for new ways to exploit old vulnerabilities. As such, businesses need to make sure they continue to ensure basic cybersecurity practices are implemented, and IT professionals need to reassess and tweak their best practice security strategy as needed.

What’s Hot on Infosecurity Magazine?