May 12th marked the second anniversary of one of the most globally devastating cyberattacks in history, known as WannaCry. As you might remember, this ransomware variant hit over 230,000 endpoints, spanning 150 countries in a matter of hours. It crippled organizations worldwide, including the UK’s National Health Service, numerous car manufacturers (among them: Renault, Honda, and Dacia), universities, hospitals, banks, government agencies, and more. Affected by the exploit were organizations that had not yet installed a security update issued by Microsoft one month prior.

Just four months later, in September, credit rating giant Equifax announced that hackers had made their way inside its networks, exposing the names, dates of birth, social security numbers, and addresses of more than half the people in the U.S. The attackers entered Equifax’s Disputes Portal via a vulnerability in the company’s Apache Struts web-application software. Two months earlier, The Apache Software Foundation disclosed the vulnerability, along with simple instructions on how to patch it, as soon as it was discovered. Equifax knew about the necessary fix, but failed to implement the patch, leaving its networks wide open for attacks.

Though the two attacks were quite different, both could have been prevented if proper vulnerability mitigation processes had been in effect. In fact, the majority of attacks on enterprises today aren’t completely unknown zero-day exploits; they are known entities for which fixes have been released. And the abundance of ready-to-go exploit kits and scanning tools like Metasploit and Shodan make it even easier for attackers to find, and, well, exploit these weaknesses. Without a proper software vulnerability management process, attackers can easily infiltrate these otherwise well-defended networks.

So why isn’t patching a priority for many organizations?

The Challenges of Patch Management

Although most IT professionals are aware of its importance, there are often semi-legitimate reasons for failing to patch immediately. If patching were as simple as running a line of code, hitting some keys, and calling it a day, there’s no doubt that it would be a priority. But the truth is that patch management isn’t all that simple, and can bring with it new challenges considering all the platforms, configurations, departments, and endpoints that need to be accounted for.

Let’s have a look at the challenges that hinder proper software vulnerability management.

Lack of Awareness

Lack of awareness regarding the importance, as well as the “how-to’s,” of patching is one of the greatest impediments to proper patch management. Failing to understand the critical nature of patches has many implications, such as:

Increased Risks 

It may come as a surprise, but some organizations still don’t understand the degree to which their risk of falling prey to security incidents increases without proper patching. According to research from the UK’s Federation of Small Businesses, only 36% of small businesses in that region patch their systems. Sure, they attribute it to lack of time and money, but if organizations really understood how critical it is to patch, you can bet they’d invest.

Difficulty Creating Effective Test Groups

Some patches can work properly on most hardware and software configurations, but a certain driver or a wrong DLL combination might cause specific machines to crash after a patch process. Testing patches to ensure reliability is a mandatory part of the patching process. But often, IT teams don’t understand the importance of testing patches, and even if they consider it a smart practice, they may feel it’s not worth the time. Moreover, it can be difficult to design effective test groups and to make sure these groups represent all the different hardware/software configurations you have running on your networks.

Downtime and Loss of Productivity

When patches are installed improperly, and even in certain cases when a patch installation has been executed flawlessly, you may still need to shut down and reboot your servers or services. The subsequent downtime can cause a loss of availability and a reduction in productivity.

Knowing How to Prioritize Patches

With all the patches that are released, it’s difficult to determine which ones are the most pressing. According to Microsoft, 5,000 new patches are released each year, which amounts to roughly 15 per day. Not all of these are as critical as others, so it’s hard to know which patches to install first. Prioritizing the patch installation process is a major undertaking involving calculating the severity of the vulnerability, how easy it is to exploit in your specific network, and how critical the service in which the vulnerability resides actually is.  

Proper Vulnerability Management

Given all the complications, it’s easy to see why patching isn’t always IT’s first resort. But it shouldn’t be all that arduous; with a comprehensive patch management process that includes discovery, prioritizing, testing each patch on a select group to ensure compatibility, deployment, and testing yet again, you can stay on top of the patching cycle with relative ease.

Let’s look at each step in depth.

Discovery

Discovery is an ongoing process for detecting new vulnerabilities. It is usually conducted by either network scan or using a configuration management software agent on servers.

For the discovery process to go well, the following requirements must be met:

  1. The vulnerability database must be updated to the latest threats.
  2. The discovery software should be able to access all servers and workstations.
  3. The discovery software needs to support all OSes and applications installed.
  4. You must apply the patch.

Prioritizing

Deciding which patch to install first is often the most complex and difficult step. Considerations vary from managing downtime, to the importance of the vulnerable service, to how easy it is to exploit the vulnerability.

Testing

Your testing groups must represent the different hardware and software combinations your organization has. An additional testing challenge is determining if the patching process was successful or not. And be aware, determining whether or not it worked isn’t always immediately apparent—bugs often take time to surface, while meanwhile, users may be able to log in to a system that seems to be in proper working order.

Deployment

As you embark on deployment, ensure that you deploy to all servers and that you don’t overflood the comm line. Also, consider how you’ll handle restarts and the fact that users turn off their workstations at night. Lastly, don’t forget to think about how you plan on deploying to remote branches.

Testing Again

Finally, even after the patch has been installed, it’s wise to test it again to ensure that it’s defect-free and running smoothly.

Key Considerations for Your Software Vulnerability Management Process

A well designed and executed patch management process will help efficient patching become a routine, yet highly beneficial, aspect of your workflow, just like any other necessary tasks. As you roll out your plan, here are some additional elements to consider:

Periodic Patching vs. Immediate Patching

It is recommended to install patches periodically, but there are instances when you may need an immediate installation because of a critical risk. This usually occurs when the software vendor issues a hotfix, and was clearly demonstrated last week when Microsoft issued a new emergency patch for an RDP vulnerability in Windows XP and Server 2003. (These are both now-unsupported systems that don’t typically receive patches anymore, but due to the highly critical nature of the vulnerability, with a severity score of 9.8 out of 10, the patch was released.) In such situations, the IT department should use a mailing list or an early warning notification service to alert all users about the risk.

Tools to Help You Prioritize

As mentioned above, knowing which patches take priority is no simple feat, but it’s an important part of being efficient. Cynet 360 security platform includes a powerful vulnerability assessment tool as part of its proactive visibility capabilities that can easily assist IT\security teams with to prioritize their patching process based on the importance of the patches and the target system.

Register for an Early Warning Notification System

As mentioned above, make sure to use an early warning system to inform all parties of necessary hotfixes.

Automate and Document Your Processes

Every patching process should be handled as a change request or an IT event. Documenting the vulnerability and the patching process is mandatory for troubleshooting and the aftermath investigation. Automation is important because manual work is always at risk of human error.

Be Aware of Products That Are No Longer Supported

If you’re using products that are no longer supported, patches may not be created when vulnerabilities are discovered. This is a dangerous position to be in, so you’ll probably want to upgrade when you’re able to.

Final Thoughts

As long as there’s software, there will be vulnerabilities that can put users in the line of fire. It’s clear that a solid patch management plan, coupled with an effective detection\remediation strategy, is the best way to stay on top of the myriad threats that plague networks. Though it may seem daunting, with the right tools and processes, you can stay ahead of the patching curve and help your networks become better secured.  

 

Links:

https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

https://gcatoolkit.org/smallbusiness/

https://www.ninjarmm.com/blog/patch-management-process/