Your Patch Management Is Hiding Vulnerabilities

Most organizations are certain that they’re staying on top of their vulnerability patching. It’s working like clockwork, and patches are applied on time. The reality is usually much different, and it’s introducing security risks to your company.

The ongoing welfare of your organization depends on confirming and addressing your vulnerability patching procedures. I can make that statement with confidence, even though I have never assessed your organization. 

Even if you’re confident that your company is knocking it out of the park with applying vulnerability patches, you should take a closer look. In this article, we’ll expose the gaps and risks you didn’t know you have with your patching.

Automated Vulnerability Patching Alone Doesn’t Cut It

Many organizations lean on the capabilities of automated patch application, or automated alerts from a target system — for example, Microsoft’s Patch Tuesday. The system automatically comes up, it tells you to apply patches, and you assume you’re all good. 

But this wholesale approach can leave dangerous gaps in your patching practices. That’s because automated systems don’t cover all of the patches that need to be applied. There will remain gaps that your team has to fill on its own.

Take your antivirus patching as an example. The antivirus engine and definition files need to be updated at least once a day, and possibly multiple times per day as new vulnerabilities are discovered. Many companies assume that every machine in the organization is set to automatically update the antivirus software — so they’re good, right?

Dig a little deeper and you’ll usually discover that someone screwed up when configuring antivirus on a particular machine, and there’s a machine (or multiple machines) that isn’t updating properly. That’s just one example, but most organizations have multiple similar points of failure.

IT Teams Aren’t Security Experts

Your IT personnel have a process they’ve been using for years, and so far it hasn’t let you down. But nobody is perfect, and no one can do a perfect job 100 percent of the time. 

There’s a lot of pressure on IT teams to live up to unrealistic expectations, so they aren’t likely to advertise areas where they may not be the experts everyone thinks they are. It’s common for executives to assume that IT is doing everything perfectly related to security and compliance — even though they aren’t security and compliance experts.

In every engagement I’ve been on, I’ve seen a spectrum of IT teams. Some didn’t have it together at all, and some were doing a solid job. But in my entire career, I’ve encountered fewer than five companies that have actually been great with vulnerability patching. Every other company has needed some form of improvement.

There’s always room for your organization to grow, and vulnerability patching is almost certainly one of those areas.

Who Is Accountable for Proper Patch Management? (No One.)

Let’s put it in perspective. In your company’s finances, you have a series of checks and balances built in, to ensure your numbers and your reports are correct. In fact, your company would be negligent if you didn’t have those accountabilities built in. It’s how you protect your organization, prove you’re operating above board, and keep your business healthy.

While you apply this kind of rigor to your financial health, most organizations neglect to implement a similar level of accountability in their IT functions. It’s the wild west.

In most cases, there are no built-in checks and balances to ensure systems are protected, which inherently introduces risk. In the case of security/compliance, it isn’t a stretch to say that the risks could put you out of business.

Every organization is too close to its own IT and security activities to see its gaps in security. That’s the value of having a third-party consultant come in and evaluate your security program. Just as your financials are audited on a regular basis, your security and compliance needs regular auditing. They’re both much too critical to your business not to do it.

If your organization isn’t subject to a third-party audit on a regular basis, there’s nothing forcing you to have any oversight of your existing IT personnel. Having that sanity check in place is a huge priority for protecting your organization from a data breach.

“But We Don’t Have Sensitive Information to Steal”

I often hear comments from organizations that they don’t have any sensitive information that needs to be protected. They only have first and last names, phone numbers, addresses, and emails. Since it’s considered publicly available information, it’s seen as unimportant for data protection. 

Do some research on organizations that had only that form of information breached, and you’ll quickly discover how pissed off your customer base will get when it happens to your company. You can quickly find your business in deep trouble, even when it’s “just publicly available information” that gets stolen.

It’s your company’s responsibility to be a safe place for your customers, vendors, partners, and employees. They trust you with their information, and they deserve your best efforts to protect it. In fact, the longevity of your organization depends on it.

How to Assess Your Vulnerability Patching Process

How do you assess your patch management and reduce your risks? Follow this four-step process to gain clarity and control of your patching.

Step 1: Create and maintain accurate inventories

Essentially, it comes down to having an accurate and up-to-date inventory of all of your hardware and software. Hardware includes physical and virtual hardware (such as cloud infrastructure). 

That sounds like an easy task, but for larger companies it can be a daunting challenge — because not only do you need to create the inventory, you also have to actively maintain it as you’re deploying new assets or deprecating them.

Find detailed best practices for device inventory management.

Step 2: Conduct validations

Once you have your inventories together — and your inventories reflect what you ACTUALLY have installed on each asset, not what should be installed — now you can do several validations:

1. Review every item in your inventories and make sure it’s receiving the various updates that are needed.
2. Verify that you have a source that will provide updates to each item. Also verify whether the update will be automatically or manually applied. 
3. For every manual update, confirm that there’s a schedule to follow.
4. Confirm that there’s an audit trail to track every update for every asset and piece of software in your inventory.

Reality check: don’t expect to complete this process in a few days or a couple weeks. It can be a huge project, depending on the size of your organization and the current state of your inventory/vulnerability patch management. There’s a deceptive amount of complexity involved in this activity.

Step 3: Remediate issues

Not only do you need to validate that your patches are happening with regularity and happening properly, you also need to remediate the issues that you discover along the way. In some cases, you may even discover that your current version of a software is so far out of date that you can’t just download the latest version — instead, you may need to apply several updates as you go along, between your version and the latest release. 

Such a process will need to include regression testing to ensure appropriate functionality is not lost along the way.

Step 4: Rinse and repeat

Even once you’ve done that exercise, it’s always a good idea to trust but verify. In other words, have an ongoing validation that all of your machines are getting updated properly. It should be a recurring sanity check, because ripple impacts can occur in the environment without your knowledge.

Can You Deprioritize Minor Vulnerabilities? 

Some organizations take the approach of patching only the vulnerabilities that have a certain rating or higher, and deprioritizing minor vulnerabilities. This seems to make a lot of sense, especially if you’re aiming to streamline your security program. 

However, it’s an approach that can leave you open to disaster. Even if you don’t have any critical vulnerabilities in your environment, if you have the right (or wrong, as the case may be) mix of minor vulnerabilities, bad actors may be able to take advantage of them and combine vulnerabilities to create a much larger problem for your company.

It’s like mixing hydrogen peroxide and vinegar — two harmless chemicals on their own that can be combined to form the lethal peracetic acid.

To the degree that you’re able, apply every patch that’s available to every vulnerability that exists within your environment.

Can Patches Break Your System?

One of the downsides of fortifying your patch management could be that you turn on a particular patch, and it breaks some of your existing functionality. 

Anytime you do patching, consider your risk tolerance level and determine if the types of patches you’re about to apply should be tested first. Then apply those patches within a test system and perform validation to make sure everything still works before rolling out the patches system-wide. 

You might even want to do this with Microsoft’s Patch Tuesday updates. Some organizations leverage a system whereby a subset of chosen systems receive patching initially, validated for a specified period of time, then rolled out to the remainder of the organization. 

Typically, antivirus software patches are safe to roll out, but I usually recommend testing patches for web server software or third-party components that support the web server.

Reduce Your Risk Today

Years ago, I was an IT leader at an organization that had to go through a full-scale security and compliance engagement for the first time. I had to prove that we had a litany of controls in place so that we could pass the audit. That process was astronomically enlightening. It taught me, even as a career-long IT professional, how little I knew about security and compliance. It was startling.

The scarier part was that as an IT leader, I was going under the assumption that my day-by-day IT staff, my network administrator, my developers, and my hosting company all knew what they were doing and that they were doing everything they should be doing. They didn’t.

Don’t assume your IT department has vulnerability patch management all buttoned up. Cybersecurity isn’t IT, and your company needs both a highly skilled IT team and the specialized knowledge of a security expert.

Don’t wait to find out the hard way that your vulnerability patches weren’t applied sufficiently. Something as little as a missed patch can put a company out of business. It happens far too often.

Need help getting on top of patch management or compliance management? TCT Portal gives you complete clarity and reduces your compliance management labor by as much as 65 percent. TCT can also support an internal audit of your state of security and compliance. 

Remember that vulnerability patching is one of hundreds of controls that should be in place for a mature security program in today’s fast paced environment. Request a demo today!