Don't Leave Your System Vulnerable
Why Patching in Cyber Security Should Never Be Underestimated
One of the most critical tasks an organization needs to do constantly is to keep its software updated with the latest patches. Patching is crucial in keeping computer systems and networks secure, but unfortunately, this process seems to have garnered a reputation as being a secondary priority thing from the past.
Patching is the process of updating software with fixes to security vulnerabilities and bugs. Organizations should implement a coherent patching strategy that covers all the technologies they use to ensure that all software is updated regularly. There are several compelling reasons to do so. For example, cybercriminals are constantly looking for new vulnerabilities in software to exploit and will use unpatched systems as a way of gaining access to deliver ransomware.
"All hardware devices are running some type of software. Unfortunately, developers make mistakes or simply realize that something could have been done better. So, corrections are made, and in these cases, those corrections are called patches."
WithSecure Principal Consultant Antti Laatikainen
Security incidents can be costly for organizations. Patching software regularly can help to prevent these incidents and save organizations money in the long run. In addition, many industries have regulations that require companies to maintain a certain level of security. Regular patching is often a requirement of these regulations. Failure to comply with these regulations can result in fines or other penalties.
Simply put, having an up-to-date patching strategy will save a lot of headaches – like loss of reputation and financial stress - for an organization should there be a data breach or security incident.
A bit of a balancing act
Organizations need to find their balance between testing the patches properly, and being able to install the patches as soon as possible to defend themselves against emerging threats. In an ideal world, organizations with a good understanding of their attack surface and assets can better evaluate the criticality of individual patches and prioritize the ones that are the most important for their environment.
"Organizations can make things easier for themselves by understanding their attack surface. This helps in identifying the most critical systems across their estate, giving a good understanding of what they've got in terms of the technology stack, and prioritizing accordingly"
WithSecure Security Consultant Katie Inns
However, numerous obstacles to getting patches in place might make organizations reluctant to invest time, effort and money.
- Handling the risks: Sometimes patches change how applications or systems work. Some patches are more important than others. Gaps in the coverage of patching (i.e. not including all the technologies used in the patching process) leave the company open to attacks.
- Patches require testing: Patches sometimes can cause issues or glitches and cannot simply be dropped to all systems within enterprise network using auto-update. They need to be rolled out in a controlled manner – this takes time and complicates things.
- Dealing with legacy systems: Some organizations might be running legacy systems which might not be supported anymore by the manufacturer. In these cases, there might not be new security patches available anymore, and vulnerabilities found in their software need to be managed using other controls such as network isolation or using jump servers.
- Ownership of systems, applications, and practices: The larger the company, the more complex the company's technological stack will be. This might make it challenging to build a coherent, over-arching patching process that will cover all the used technologies with similar coverage. Having differences between applications or systems patching cycles makes it hard to handle the overall risks of vulnerability management.
Of course, none of the above points are obstacles that eager attackers need to concern themselves with when going for a strike.
It's quite clear that implementing a patching strategy is critical for organizations to maintain security.
In order to do so, organizations (with the help of security companies) should consider the following:
- Identify all software in use across the organization
- Determine the criticality of each software component, the systems and networks where they are being used and the potential impact of a security breach
- Create a periodical schedule for patching all affected software, with the possibility of prioritizing and performing immediate installations if needed (due elevated risk profile of a specific security patch)
- Test patches before deploying them across the organization
- Automate the patching process as much as possible to ensure timely and consistent patching.
- Cover all the used technology layers (from hardware firmware versions to operating systems and applications) and get yourself good visibility of the patching needs of each one.
The WithSecure Pulse 2023 survey showed that patching is one of the top priorities for organizations. Read more here