Data breaches are still on the rise worldwide with no end in sight yet and ransomware attacks have doubled globally in the past year. Management at all organisations should take possible attacks on their infrastructure very seriously as old hardware, out-of-date software and oversights from IT teams allow hackers to exploit such vulnerabilities and only need to find a single point of entry into a network in order to wreak havoc. In most cases, missing security patches for known system vulnerabilities are what hackers seek out in order to gain access to networks.
Security patching can be unnerving to some individuals and the hundreds of patches released weekly only make the task more intimidating as the risk of potentially causing more harm than good to IT systems appears to be elevated. Unfortunately, though, in order to protect IT infrastructure and the organisation that relies on it, such patching is a necessity. Without it, liabilities can increase dramatically over time and cause far greater damage and losses.
The bottom line is that those who don’t patch are exposing their organisations to far greater risks. There should also be no sacrifice between security and functionality and the following are some patching guidelines that will help to manage the process in an efficient and more secure way:
- Know your environment
One should always scan for vulnerabilities and missing patches regularly. Finding vulnerabilities is the hardest part of patching and knowing what needs to be patched is the first step in hardening an organisation’s attack surface. This can be achieved using vulnerability scanning tools such as F-Secure RADAR which is capable of scanning an environment to identify missing patches for multiple operating systems and third-party software.
It is important to note that vulnerabilities can exist in any software and third-party software can certainly pose a risk. The ransomware attack on multinational shipping company Maersk in 2017 affected 4000 servers and 45000 PCs and was initiated by the exploitation of a security flaw in their third-party accounting software. Hardware can be vulnerable too. Don’t ignore hardware like firewalls or switches as these are also affected by firmware and software vulnerabilities.
- Test patches before full deployment
MS Windows patches have become notorious for breaking services and features that previously functioned without issue. A case in point is Microsoft’s security rollup in January 2019 which broke file sharing for Windows 7 and Windows server 2008 systems. If possible, roll out updates to a test group of devices first to confirm their stability before rolling them out across the whole network. Ideally one should also allow for the normal use of the test devices for a few days after patching before continuing the rollout process to all the other devices on the network.
- Patch in batches
For organisations with different departments, it’s a good idea to avoid patching all the devices that are used to perform similar roles all at once. It is preferable to split them into smaller groups/batches and then deploy the updates systematically. In this way, employee productivity is not halted for a whole department while the updates are being applied.
- Limit the number of patches
One can simplify troubleshooting of the patching process by limiting how many patches are installed at once. One needs to bear in mind that should a patch break something, it’s far easier to pinpoint and roll-back the process to identify the problem when only that one patch has been installed compared to many more of them.
- Do some research
Checking for any bad news on a particular patch before implementing it can save a lot of time and effort and makes more sense than blindly installing a patch, only to have to start troubleshooting afterwards. It is very likely that someone else has already discovered a dodgy patch and a quick Google search can save many hours of frustrating work trying to sort out a known problem.
- Create checkpoints
In the case of virtual machines (VMs), always remember to create a checkpoint or snapshot before making any changes. If anything goes wrong, you can then simply shut down the VM and load up the saved checkpoint to restore the system to its original configuration.
- Virtualised test environments
Virtualisation runs on most modern PC hardware, and some older hardware too. With these resources available it’s easy to set up a virtual test environment with multiple VMs for different operating systems. It can also be used to test patches before their rollout.
- Keep an up-to-date schedule
One of the most intimidating things about patching is the sheer number of updates released. Patching is a process and it takes time. Creating a weekly or monthly patching schedule greatly reduces the burden imposed by the task. Ignoring the task simply creates a bigger problem further down the line as the patches will just keep on coming. Postponing patching until later should not be an option as it will directly affect the organisation’s cyber security resilience.
- Backup, backup and backup …
It is inevitable that a patching update will break something one day as it’s not necessarily an exact science or totally fool-proof. It is humans who manage patching technology after all. This is one of the reasons why backups are so important. Much like with VMs, a system backup will restore devices back to their original working state. This also applies to the files that exist on the devices being patched.
- Rinse and repeat
The key to vulnerability assessment and management is making sure that the changes made have a positive impact on the system. After devices or an environment have been patched, one should ideally do an audit of the complete system. F-Secure RADAR keeps track of the changes made with every scan and in so doing makes it simple to identify whether the vulnerabilities have been patched and secured, or if the patch has caused yet another vulnerability that needs sorting out.