Ripped jeans may be ‘fashionable’ but when it comes to patching, repairing the damage is vital. Very much like a patch used to repair a hole in your favourite jeans, “patching” refers to the process of applying a fix for an exposed flaw in a computer’s operating system or application.
Patches commonly address a specific flaw or bug, fix a security vulnerability or improve an application or OS overall stability. The frequency of which you will have seen a pop-up kindly letting you know that a new update is available, and would you like to apply it now or snooze it till a convenient time, will be near daily.
The real question is, what do you do when this choice arises and what does the wider control of patch management really do for your business?
Firstly, before making any decisions you need to understand the risk you put yourself and your business at when denying these patches.
Attackers and bots – Unfortunately in the current digital age it’s not a case of if your organisation gets attacked but when. Nearly 40% of all traffic on the internet is generated by bots and over half of these are considered bad. There is a constant flow of bots out there searching for specific versions of software with known exploits waiting to get a positive match.
Time is of the essence – When a vulnerability gets discovered people (good and bad) all around the globe are hard at work finding the way the vulnerability is exploited and putting this into practice. It’s a race between fixing systems and attacking systems. When a patch is released it is more than likely that an exploit for the vulnerability already exists and there is a bot searching for it. The quicker you apply a patch or fix the less of a target you become.
The severity of vulnerabilities can vary dramatically however critical vulnerabilities are found in software every day. Hope for the best, prepare for the worst.
The old faithful, WannaCry outbreak cost the NHS an estimated £92 Million when it could have been avoided by applying a simple patch 2 months before the outbreak. It not only cost the NHS a substantial amount of money but also the possibility for human lives to be lost due to missed appointments and vital health services not being available.
So, you understand the importance of patching and the impact not applying patches can have on your business but how do you go about getting a plan together and making sure you’re not putting your systems and data at risk?
Stay calm and know your risk – There is a fine balance between usability and security and every business needs to assess its needs individually. From a security standpoint getting any security or critical patches applied immediately is preferred. In practice this can’t always happen due to practical issues (for example, machines not being online to receive a patch), being able to centrally see what is going on in your estate is vital to understand what your exposure is to vulnerabilities.
Make a plan and stick to it – The Cyber Essentials standard requires “all high-risk or critical security updates for operating systems and firmware installed within 14 days of release” how this is achieved is down to each individual business (Automatic updates, Remote Patch Management etc.) but the NCSC backed certification is a good starting point to meet and achieve.
Get Tested! Third party validation – You are following your plan but you need to make sure it’s working and that there isn’t anything else lurking in the background waiting to be exploited. Having a penetration test performed on (at least your external facing) assets ensures that there aren’t any vulnerabilities available to be exploited. Providing you the assurance that your assets, data and business is being presented to attackers as competent and secure and therefore more hassle than it’s worth. (hackers typically go for low hanging fruit first)
Hopefully with the information above you now have a better understanding of updates and patching, why they are important and the steps to take to make sure you protect your business and understand its risk.