Why patching is part of risk management strategy – and how to minimise the risks
April 5, 2018
Richard Blanford, Managing Director, Fordway
Despite high profile issues such as last May’s WannaCry ransomware attack and the Petya/NotPetya malware that followed two months later, we find that many organisations we speak to have let their patching regime slide. Sometimes the problem is lack of resources, while for others it is put into the ‘too-difficult” box. We came across an organisation recently with this problem: patching was simply too difficult given their combination of in-house and outsourced systems, so some areas had not been patched for five years.
Embedded systems are another source of problems, from applications such as ATMs built around outdated versions of Windows to the recent Meltdown and Spectre issue which affected the X86 CPU architecture. And for many organisations, it is simply pushed down the ‘to-do’ list by more interesting and seemingly more urgent tasks.
Of course, by the time a patch has been announced, the hole may already have been exploited – a Zero Day vulnerability. However, the announcement of a patch publicises a vulnerability, so the longer you put off remediation, the greater the risk that it will be exploited. One tactic used by those with malicious intent is to send attachments which direct the unwary to a seemingly innocuous website which then scans their systems for vulnerabilities.
Very few organisations are going to be 100 per cent up to date with patching. However, getting it wrong exposes you to serious business risk, so patching should be part of your organisation’s overall risk strategy. The following tips provide a process for developing a patch management strategy to minimise risk by focusing resources on the most critical tasks.
Every organisation will have a different tolerance for risk depending on its sector, market position and many other factors. Being risk averse can be extremely expensive, but getting it wrong can be even more costly. So it is important to carry out a risk analysis to identify where the vulnerabilities are, how likely they are to happen, the impact on the business if they do, and what needs to be done to prevent them. You can then decide what resources are appropriate given your appetite for risk.
Most hackers follow the path of least resistance, the digital equivalent of trying the handle to see if the door is locked, so ensuring that your organisation is prepared for the most common threats may be enough to make them give up and move on to an easier target.
Remember that if you have an issue with one of your systems, the first question the vendor will ask is whether your patching is up to date. The problem may be totally unrelated to the patch, but the vendor may still refuse to do anything until all patches have been applied. You may also need to have your patching up to date for auditing purposes. The first step in your strategy should therefore be risk analysis, including operational, financial and reputational risks.
Prioritise business critical systems
The next step is to be pragmatic. You cannot patch everything at once, so take a holistic and prioritised approach, beginning with the systems most critical to your business, where a security breach could either halt operations or leave your business exposed to the loss of sensitive data.
Begin by carrying out initial patch testing of systems representative of the whole environment. The lessons learned during this phase should be recorded and taken forward to patch the rest of your systems. For example, did some patches break the service, cause other issues etc.? Did some patches also require changes to a registry key, or are there other prerequisites to ensure that the patch is applied successfully?
Ensure internet facing systems are protected
The internet provides a back door into your entire network, offering those with ill intent an opportunity to steal data and/or maliciously alter information, so any such systems should be a priority, ensuring that you follow the lessons learned during patch testing. You may be collecting data via your website, so think about your process for importing that data and what interactions are critical.
Remember applications and middleware
Patching is not just about the operating system, important though it may be. It is essential to keep on top of application patching and middleware patching, as unpatched Flash Player, Acrobat Reader, Java etc. are increasingly becoming a way into your system and can be exploited simply by visiting a website known as a drive-by download or via malvertising. It is also vital to ensure that any thin client machines are protected by always booting them from fully updated and patched OS images.
Can you automate or use a managed service?
A significant amount of time can be saved by automating patching, using tools such as SCCM which also provide reporting and auditing. Time required to set these up is quickly repaid in time saved. Another option is to have a third party provide patching as part of a managed service, or through the cloud (patching as a service) from organisations such as Fordway. In our experience, hot patching has minimal impact on cloud performance.
If your organisation has several hundred servers and thousands of desktops, patching is a full-time job and should probably be handled in-house. If you have fewer servers, and finding time for patching is a problem, it may be cheaper to use a third party provider. They will be implementing the same patches for many organisations, so you will benefit from their learning and scale, from monitoring of patch sources and real-time notification to 24x7 support.
For example, Fordway had already applied a patch for our managed cloud customers against the EternalBlue vulnerability, one of the major routes of infection, when the Petya/Not Petya malware was identified. We also provided customised advice to our Security Consultancy customers on how to implement the patch in their infrastructure as part of our routine incident response procedure.
Be prepared for the worst
Finally, adopt the mentality that one day you will be breached. As a minimum, ensure that you have a cyber security incident response procedure in place, a back-up of all business-critical systems and a tested and proven disaster recovery plan.