Patch Management: Why it’s Important for CyberSecurity
A good patch management strategy is commonly listed as one of the basics of an organizational cybersecurity strategy. In this post, we discuss the importance of strong patch management and how to implement a good patch management strategy.
What Is Patch Management?
All software has bugs. Whether these are caused by design flaws or implementation flaws, the sheer amount of code in systems that we use every day is bound to contain errors. In his book Code Complete, Steve McConnell explores the average rate of errors in programming and estimates that the average program will have between 15 and 50 errors for every thousand lines of code. For reference, the average iPhone app has over 20,000 lines of code or an estimated 300-1000 errors, some of which are exploitable vulnerabilities.
Patches are software or firmware updates issued by a program’s developer designed to fix identified flaws in a program. Typically, this occurs after the flaw has been identified as an exploitable vulnerability, meaning that applying these patches is important to the security of the software.
Why Don’t Companies Patch their Software?
Companies may not regularly patch their systems for a number of reasons. A lack of technical staff can make “updating” a little scary to those without a technical background. Undermanned IT staff can become busy with problems perceived to be “more important”. Most notably, is that some updates can cause performance issues or “break stuff” and thus are often put off rather than dealing with the complications associated with updating.
Regardless of the reasons why an organization may procrastinate when it comes to patching, it’s a critical process that needs to be in place. Spending 30 minutes to a few hours in patching can save hundreds of thousands of dollars in the damage and hundreds of hours in recovery from a problem caused by a vulnerability or software failure.
Why Is Patching Software Important?
Patches are typically issued after an exploitable vulnerability has been discovered by the community or disclosed by the originating vendor for a piece of software or firmware. After a vulnerability is acknowledged, it is not uncommon for malicious actors to try to exploit it within the window between learning about it from its public disclosure and when the majority of the public have applied patches. Making this window as small as possible is important for organizational cybersecurity.
The Equifax data breach is an example of the dangers of a poor patch management strategy. As many as 143 million US customers had their personal data exposed in the breach. The cause of the breach was a failure to patch a known vulnerability in Apache Struts. A patch for the vulnerability had been available for two months before Equifax’s breach. Hackers had been exploiting the vulnerability starting just days after the patch was released, demonstrating that failure to patch endangered an organization. Equifax’s poor patch management policies opened it up to one of the most significant breaches in history.
Implementing a Good Patch Management Strategy
A good patch management strategy ensures that patches are applied in a timely manner and will not negatively affect operations. This breaks down into two main components: patch testing and patch application.
Patches are designed to improve the system or software; however, the developer cannot test against every possible use case and build environment. Depending on the specifics of your organizational network, some patches may break functionality, meaning that testing is vital before deployment. Testing should be performed in an isolated test environment, ideally a virtualized mirror of your production environment. By testing in an environment identical to production, it’s possible to identify and correct potential issues before they affect production systems.
Once testing is complete, patches should be deployed as soon as possible. While it may be feasible to do this manually in small environments, an automated patch application process is generally a better idea. Automation ensures that patches are deployed as quickly as possible and consistently applied across the network. The reduced workload on IT staff allows them to respond to specific patching issues quickly.
Patch Management is Vital to Security
Software developers commonly issue patches to fix vulnerabilities in their software. Patch testing and deployment may seem like a low priority next to monitoring and incident handling; however, it is vital to organizational cybersecurity.
The deployment of a patch creates the necessary evil of notifying malicious actors of a potential vulnerability, and they commonly seize the opportunity to search for and exploit vulnerable systems. By quickly testing and deploying patches, an organization can minimize the probability of a data breach or regulatory non-compliance due to unpatched software.
Sword & Shield Enterprise Security offers virtual chief information security officer services to help you build your patch management strategy. Learn more about our vCISO services and request a consultation.