Modernising the approach to patching in response to today’s business landscape

Why is Patch Management important?

As individuals, we will likely patch our home devices on an ad-hoc basis. Our programs and services either all have their own automatic patching, or we’ll simply download patches as they become available, and if we know about them. In a business or organisation running anything from dozens to hundreds or thousands of different endpoints, there needs to be a system in place to manage and ensure the patching process. The first line of defence against hackers for any business should be an up-to-date, properly patched and sanitised IT system.

The importance of proper patching procedures goes right to the basis of the business. This is not just a security consideration, but one that affects operational efficiency. If different teams or departments are operating with different versions of the same software, productivity and efficiency can suffer as a result. There is a risk of costly downtime while any issues are fixed; so, enterprises need to ensure that parity is maintained between all different instances of software, services and operating systems in use. 

But it is the vulnerability to cyber-attack that is the most dramatic effect of poor patching. Bache Brown & Co, a leading Chartered Certified Accountants firm, explains [1]: “As with any business, IT is crucial to our success, and if our business is at risk of a cyber-attack, it can cause severe losses, from reputational damage to downtime disruption…All the main tools we use…rely heavily upon IT, so all of our systems need to be working efficiently and securely otherwise we would not be able to operate as a business.” 

On the security side, proper patching is the first and best defence against vulnerabilities, one of the most troublesome security risks due to their unpredictability and potential severity. Developers work hard to discover and fix any vulnerability or flaw in the software they provide, but a zero-day vulnerability is one that is not yet known to either vendors or creators. If hackers discover this vulnerability first, they can exploit it, infecting a business’ devices with ransomware or causing a costly customer data breach.

Most of the time, a zero-day is reported or discovered and fixed by the software providers before hackers can significantly capitalise on it. However, if a patch isn’t implemented at the user end, a fixed zero-day effectively remains an unfixed zero-day for the user. The original software provider can do nothing to protect a business that doesn’t implement their patches. The infamous Equifax breach from a few years ago was caused by a failure to fully apply patches to known vulnerabilities. One obscure server was left unpatched, allowing the hackers an entry point into the system.

It has been estimated [2] that at least 60% of data breaches are caused by known, unpatched security vulnerabilities ‒ so proactive patching is the best policy. A patch management service gives businesses a specialised team who can take a proactive approach to organising and managing the patching process. It can provide a clear scope of which software and services are critical to the business and improve uptime and  security. But is it really necessary to use an external specialised team for this?

Don’t manage alone

For many businesses, the approach to patching goes no further than the policy level. As important as it is to keep all the enterprise’s systems up to date, it is often left to the individual users to make sure their devices are in line with the company’s requirements. Effective oversight and enforcement of this kind of approach is often impossible, especially in larger organisations. Placing the responsibility to stay up-to-date on employees increases user friction, harming productivity and increasing the likelihood of non-compliance. Many organisations struggle to patch in a timely manner, with over 40% of companies taking longer than a week to deploy security patches.

A priority for 2021 is ensuring that patch management is implemented on all remote devices, in response to the workplace changes made by the Covid-19 pandemic and the lockdown landscape ‒ many of us are now working from home using either our personal devices or an authorised remote device owned by the business. This has decentralised the workplace to an unprecedented degree, making coordination with system updates more difficult than ever.

The key to successful patching is to always use legitimate patching sources, directly from the vendor.  Attacks against SolarWinds and Ukrainian banks recently demonstrated why. Hackers are always looking for potential vulnerabilities to exploit, and sometimes an insecure patching process can create just as much risk as unpatched systems. Supply chain attacks can compromise update sources or create fake updates that result in users directly downloading malicious software when they think they’re keeping themselves secure. 

We saw a long, destructive example of this last year with the SolarWinds/Orion attack [3]. The US-based IT vendor SolarWinds, and its management software Orion, was compromised by probable state-sponsored hackers. Malicious code was injected into an Orion update, which then found its way into the systems of many SolarWinds client organisations, including several US government departments, during normal update procedures. It was a case of doing harm while attempting to be good.

Another type of supply chain attack that abused the update process became known as a ‘Magecart’ attack. In 2018, British Airways became a victim. Details from around 400,000 customers were stolen; and in October 2020 British Airways was fined £20 million by the Information Commissioner for the incident. Magecart takes advantage of failures to manage patching and updating.

On rare occasions, even official patches will introduce new zero-day vulnerabilities – or reintroduce known vulnerabilities. In 2019, Apple’s mobile operating system iOS inadvertently restored a previously fixed security vulnerability that would allow hackers to take complete control of a user’s device.

In-house management of the patching process might be tempting, but with all the issues and pitfalls that can affect a business’ security and productivity, this often becomes unworkable. Companies not only need to ensure that all relevant endpoints have proper oversight, but also need to be on-guard for fake patches, supply chain vulnerabilities and even security issues from the official patch sources. Again, going directly to the vendor can mitigate any doubt. It’s impractical to leave everything to individual employees but automating updates to always accept the latest patch can be difficult to set up effectively and reduces the business’ ability to respond to new security threats.

Making patching work

It’s clear that as the business, IT and cyber security landscapes have evolved, patching can no longer be an afterthought ‒ but it remains a complex and difficult process that is too often ignored or got wrong. An external patch management service allows for a specialised team to not only make sure every endpoint and service is in line with the business’ requirements, but also monitor new patch releases and scan for supply chain vulnerabilities. OGL Computer, along with its cyber security division CyberGuard Technologies, has partnered with many organisations to provide the kind of responsive, proactive and adaptive patch management service that enterprises need in 2021 and beyond.

The positive results of a patch management service, and other specialist cyber security services such as EDR and SIEM are best observed in action. Bache Brown & Co’s Director commented on the scope of help that OGL’s patch management can provide: “CyberGuard and OGL have  vastly improved our efficiency and contributed to our business growth. Their effective IT support for any workstation issues is greatly appreciated and they have significantly enhanced the security for our file server. They were also very resourceful with their assistance in us becoming GDPR compliant.”

OGL can work with businesses to not only improve their patch management procedures and systems, but tailor the service to the business’ individual needs, creating the most effective solution for any given situation or requirement. As Bache Brown & Co’s director observed, “The service is fully managed and tends to operate behind the scenes. It ensures that our software is up to date so that we never have any problems, offering us peace of mind. We also have a daily report from OGL identifying any issues, which constantly keeps us informed of any potential problems.”

For more information on OGL Computer’s Patch Management service, check the information page [4], for answers to key questions about patch management [5].

References:
[1] https://www.ogl.co.uk/bache-brown
[2] https://www.darkreading.com/vulnerabilities---threats/unpatched-vulnerabilities-the-source-of-most-data-breaches/d/d-id/1331465
[3] https://www.blackhatethicalhacking.com/articles/free-access/solarwinds-supply-chain-hack/
[4] https://www.ogl.co.uk/patch-management 
[5] https://www.ogl.co.uk/why-do-i-need-patch-management