ITB - IT Solutions for the next generation
linkedin logo twitter logo facebook logo google+ logo

To Patch or not to Patch, That is the question.

10th May 2018
To Patch or not to Patch, That is the question.

All software that is developed will have certain technical vulnerabilities, some more severe than others. These vulnerabilities can be exploited by hackers
to break into systems and software to deploy Malware which can then be used for a multitude of sins (see our blog on Malware Protection to learn more about the different forms of Malware). If these vulnerabilities aren’t fixed, then an organisation becomes a sitting target for a hacker
if its made public.

On the face of it, fixing, or ‘patching’ these vulnerabilities seems like a pretty straightforward task, however, when in Cybersecurity is anything ever

As we’ve spoken about in previous blogs, the bigger the organisation, the more complicated the problem is to address. If you’re rolling out patches to
ten machines all running the same software, you won’t have too much of a headache, however, if you’re a business with several thousand endpoints, servers,
applications and databases it can become a nightmare to manage. Throw into the mix patching Microsoft Applications and Third party applications across
the enterprise and the process can become tedious and repetitive as well as a headache if done manually.

Many organisations can fall into the trap of throwing money at Cybersecurity to fix problems but focusing more on internal procedures and developing a
strong Patch Management process can reap as much benefit.

As a Cybersecurity reseller, we don’t advocate ‘selling based on fear’, but there is too much at stake to get patching wrong. Just ask the now ex-CEO at
credit firm Experian.

The patching issue at Experian is one every company can learn from. A patch was released to fix a vulnerability in the Apache Struts platform (an opensource
web application that is popular with Experian’s corporate clients) in March 2017 however for whatever reason this patch was never rolled out and Experian
was hacked 2 months later in May. It was this wide-open vulnerability coupled with a lack of encryption and poor process that led to the breach.

It’s too easy to lay the blame at the door of the person responsible for rolling out this particular patch, however, the issue runs much deeper than that
and actually shows a lack of respect for what could happen if an important patch isn’t rolled out.

So, what can we take away from this incident?

The main thing we can learn from this is how important it is to ensure you have a strong process in place for rolling out patches.

Ensure that you have somebody within IT who is responsible for patching, this doesn’t have to be somebody with the sole responsibility of rolling out patches
(unless you’re a huge multinational organisation that is) but somebody who’s job has a strong emphasis on managing this particular function.

There may be several people in IT responsible for patching, but somebody should be accountable for ensuring they are rolled out in a timely fashion, effectively
and with minimal downtime. Also, have a contingency plan in place to ensure that the process doesn’t fall down if this person isn’t available to manage

Ensuring minimal downtime is difficult to achieve, however, there are certain things IT operations can do to roll out patches with minimal fuss. One such
thing is to set-up a test environment where any patch updates can be tested before being rolled out in a live production environment. This may take
some time to set-up but the ROI will be ten-fold when organisations consider the cost associated with fixing broken systems.

IT should also develop an asset inventory to help ensure that all software and systems are covered when patches are rolled out. If an organisation doesn’t
know that a device exists then how can it be patched?

Here at ITB we regularly speak about the fact that humans alone cannot stop cybersecurity threats, and neither can machines, but a combination of both
can work well. This also rings true with Patch Management, and there are several platforms available to help make the process of rolling out patches
easier for IT teams.

Many tools will help organisations maintain compliance regulations by automatically checking for and offering to deploy critical new patches as they are
released although automatically deploying patches isn’t something we would recommend as it can cause issues. Using a Patch Management solution will
also help with asset discovery and provide reports on what updates and patches need addressing including the urgency of these.

For a conversation on how we can help you address Patch Management and your processes feel free to call us on 01865 595510.