May 12th marked the second anniversary of one of the most globally devastating cyberattacks in history, known as WannaCry. As you might remember, this ransomware variant hit over 230,000 endpoints, spanning 150 countries in a matter of hours. It crippled organizations worldwide, including the UK’s National Health Service, numerous car manufacturers (among them: Renault, Honda, and Dacia), universities, hospitals, banks, government agencies, and more. Affected by the exploit were organizations that had not yet installed a security update issued by Microsoft one month prior.
Just four months later, in September, credit rating giant Equifax announced that hackers had made their way inside its networks, exposing the names, dates of birth, social security numbers, and addresses of more than half the people in the U.S. The attackers entered Equifax’s Disputes Portal via a vulnerability in the company’s Apache Struts web-application software. Two months earlier, The Apache Software Foundation disclosed the vulnerability, along with simple instructions on how to patch it, as soon as it was discovered. Equifax knew about the necessary fix, but failed to implement the patch, leaving its networks wide open for attacks.
Though the two attacks were quite different, both could have been prevented if proper vulnerability mitigation processes had been in effect. In fact, the majority of attacks on enterprises today aren’t completely unknown zero-day exploits; they are known entities for which fixes have been released. And the abundance of ready-to-go exploit kits and scanning tools like Metasploit and Shodan make it even easier for attackers to find, and, well, exploit these weaknesses. Without a proper software vulnerability management process, attackers can easily infiltrate these otherwise well-defended networks.
So why isn’t patching a priority for many organizations?
The Challenges of Patch Management
Although most IT professionals are aware of its importance, there are often semi-legitimate reasons for failing to patch immediately. If patching were as simple as running a line of code, hitting some keys, and calling it a day, there’s no doubt that it would be a priority. But the truth is that patch management isn’t all that simple, and can bring with it new challenges considering all the platforms, configurations, departments, and endpoints that need to be accounted for.
Let’s have a look at the challenges that hinder proper software vulnerability management.
Lack of Awareness
Lack of awareness regarding the importance, as well as the “how-to’s,” of patching is one of the greatest impediments to proper patch management. Failing to understand the critical nature of patches has many implications, such as:
It may come as a surprise, but some organizations still don’t understand the degree to which their risk of falling prey to security incidents increases without proper patching. According to research from the UK’s Federation of Small Businesses, only 36% of small businesses in that region patch their systems. Sure, they attribute it to lack of time and money, but if organizations really understood how critical it is to patch, you can bet they’d invest.
Difficulty Creating Effective Test Groups
Some patches can work properly on most hardware and software configurations, but a certain driver or a wrong DLL combination might cause specific machines to crash after a patch process. Testing patches to ensure reliability is a mandatory part of the patching process. But often, IT teams don’t understand the importance of testing patches, and even if they consider it a smart practice, they may feel it’s not worth the time. Moreover, it can be difficult to design effective test groups and to make sure these groups represent all the different hardware/software configurations you have running on your networks.
Downtime and Loss of Productivity
When patches are installed improperly, and even in certain cases when a patch installation has been executed flawlessly, you may still need to shut down and reboot your servers or services. The subsequent downtime can cause a loss of availability and a reduction in productivity.
Knowing How to Prioritize Patches
With all the patches that are released, it’s difficult to determine which ones are the most pressing. According to Microsoft, 5,000 new patches are released each year, which amounts to roughly 15 per day. Not all of these are as critical as others, so it’s hard to know which patches to install first. Prioritizing the patch installation process is a major undertaking involving calculating the severity of the vulnerability, how easy it is to exploit in your specific network, and how critical the service in which the vulnerability resides actually is.
Proper Vulnerability Management
Given all the complications, it’s easy to see why patching isn’t always IT’s first resort. But it shouldn’t be all that arduous; with a comprehensive patch management process that includes discovery, prioritizing, testing each patch on a select group to ensure compatibility, deployment, and testing yet again, you can stay on top of the patching cycle with relative ease.
Let’s look at each step in depth.
Discovery is an ongoing process for detecting new vulnerabilities. It is usually conducted by either network scan or using a configuration management software agent on servers.
For the discovery process to go well, the following requirements must be met:
- The vulnerability database must be updated to the latest threats.
- The discovery software should be able to access all servers and workstations.
- The discovery software needs to support all OSes and applications installed.
- You must apply the patch.
Deciding which patch to install first is often the most complex and difficult step. Considerations vary from managing downtime, to the importance of the vulnerable service, to how easy it is to exploit the vulnerability.
Your testing groups must represent the different hardware and software combinations your organization has. An additional testing challenge is determining if the patching process was successful or not. And be aware, determining whether or not it worked isn’t always immediately apparent—bugs often take time to surface, while meanwhile, users may be able to log in to a system that seems to be in proper working order.
As you embark on deployment, ensure that you deploy to all servers and that you don’t overflood the comm line. Also, consider how you’ll handle restarts and the fact that users turn off their workstations at night. Lastly, don’t forget to think about how you plan on deploying to remote branches.
Finally, even after the patch has been installed, it’s wise to test it again to ensure that it’s defect-free and running smoothly.
Key Considerations for Your Software Vulnerability Management Process
A well designed and executed patch management process will help efficient patching become a routine, yet highly beneficial, aspect of your workflow, just like any other necessary tasks. As you roll out your plan, here are some additional elements to consider:
Periodic Patching vs. Immediate Patching
It is recommended to install patches periodically, but there are instances when you may need an immediate installation because of a critical risk. This usually occurs when the software vendor issues a hotfix, and was clearly demonstrated last week when Microsoft issued a new emergency patch for an RDP vulnerability in Windows XP and Server 2003. (These are both now-unsupported systems that don’t typically receive patches anymore, but due to the highly critical nature of the vulnerability, with a severity score of 9.8 out of 10, the patch was released.) In such situations, the IT department should use a mailing list or an early warning notification service to alert all users about the risk.
Tools to Help You Prioritize
As mentioned above, knowing which patches take priority is no simple feat, but it’s an important part of being efficient. Cynet 360 security platform includes a powerful vulnerability assessment tool as part of its proactive visibility capabilities that can easily assist IT\security teams with to prioritize their patching process based on the importance of the patches and the target system.
Register for an Early Warning Notification System
As mentioned above, make sure to use an early warning system to inform all parties of necessary hotfixes.
Automate and Document Your Processes
Every patching process should be handled as a change request or an IT event. Documenting the vulnerability and the patching process is mandatory for troubleshooting and the aftermath investigation. Automation is important because manual work is always at risk of human error.
Be Aware of Products That Are No Longer Supported
If you’re using products that are no longer supported, patches may not be created when vulnerabilities are discovered. This is a dangerous position to be in, so you’ll probably want to upgrade when you’re able to.
As long as there’s software, there will be vulnerabilities that can put users in the line of fire. It’s clear that a solid patch management plan, coupled with an effective detection\remediation strategy, is the best way to stay on top of the myriad threats that plague networks. Though it may seem daunting, with the right tools and processes, you can stay ahead of the patching curve and help your networks become better secured.