Does Patching Make Perfect?

Written by

We’ve heard it time and time again: patches and updates are the key to mitigating vulnerabilities that lead to epic Equifax-sized breaches. The logic goes that security incidents can be avoided if you just update and patch your OS and applications as instructed.

Is it really as simple as that? It’s true that patching and updating your software and operating systems are critical elements in your security approach. At the same time, the process of installing updates and patches has become so highly complex that it, in and of itself, may create new complications. 

To start, let's look at why patching and updating are so critical in the first place. Patches and updates are two primary means to ensure that programs and operating systems function properly and securely. They deliver bug fixes, add and enhance features, and – most of all – fix vulnerabilities. 

Failing to install patches and updates leaves you wide open to avoidable exploits that can be avoided entirely. Just ask the NHS, which fell prey to last year’s WannaCry attack. A recent report from the UK National Audit Office shows that the NHS had been instructed to patch their computers against the specific vulnerability that caused WannaCry as early as two months before the attack.

Returning to the disaster at credit rating giant Equifax, the breach was caused by a vulnerability in their Apache Struts web application framework. Not only has this attack left roughly half the US adult population at risk for ID fraud — the worst part is that the Apache Struts Foundation released a patch for that same critical vulnerability (CVE-2017-5638) back in March, a full four months before Equifax says they identified a breach on their network. 

The Problems with Patching and Updating
This brings us to the over-complexity of patches and updates. Back in March 2017, when the Apache Struts vulnerability was first reported and the patch was released, enterprises relying on the framework knew it would be tough to fix. Here is how Ars Technica explains the difficulties involved with applying the patch:

“ involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.”

This does not in any way let Equifax off the hook, but it does highlight the great difficulties and challenges that many enterprises experience when it comes to patching and updating. As with the Struts patch, application is not always simple and may cause unanticipated breakdowns and malfunctions.

With so many patches and updates being released, it can be hard to assess which are essential and which are merely recommended. For example, the patch for the vulnerability that led to WannaCry was released just like any other “Microsoft Patch Tuesday” patch, which may have led people to believe that the vulnerability wasn't all that critical. Moreover, incompatibilities with patches and infrastructure can cause other critical programs to crash.

Lastly, there are so many patches and updates released on an ongoing basis that applying them all could take up all of an IT team’s time.

So, it’s not that patching doesn't make perfect — it’s that getting the entire process just right can be extremely complex. By not getting it completely right, you may just be letting in the next big breach.

Isolate to Reduce Your Risks
The truth is that in the world of multi-layered applications and complex network architecture, there is no one silver bullet that can completely guarantee complete integrity and security. But you can minimize your risk by reducing your attack surface. 

Security analysts continue to affirm that most security breaches, incidents, and phishing attacks can be traced back to browser-based vulnerabilities that have been exploited. Thus, enterprise security can be greatly improved if organizations can block hackers from breaching endpoints and networks via the browser. If hackers cannot gain access, they cannot exploit security vulnerabilities presented by unpatched applications and software. 

Secure remote browsing, and in particular, remote browser isolation (RBI), represents a new, proactive approach to safeguarding against internet-borne threats. In fact, it was named one of the top security technologies in 2017 by Gartner

With remote browser isolation, all browsing activity is executed remotely, in an isolated virtual environment such as a container, which is disposed of at the end of that browsing session. What users get is a real-time, interactive visual content stream that is free of all risk. 

In short, browser isolation is a layer that reinforces your existing security measures and helps you stay protected during those inevitable brief lapses in the never-ending patching and updating cycle. 

To really “make perfect”, you need to patch and update, but that’s just one (highly complex) aspect of achieving complete security from vulnerabilities.

In addition, you need a layered defense that will help you secure gaps in the remaining layers and that includes a solution for preventing malware and fileless attacks originating from web browsers.

What’s hot on Infosecurity Magazine?