2014 was a record year for newly discovered software vulnerabilities with nearly 8,000 reported. 2015 appears to be on track to be another record breaking year with dozens being reported every day. Not all vulnerabilities directly affect you or your organization but there have been some major ones that had widespread impact such as an Internet Explorer vulnerability affecting all browser versions to HeartBleed, ShellShock, Poodle and Winshock, all of which compromised the security of your system or the systems you connect to.
These are referred to as Zero-Day vulnerabilities because software and system vendors have had no time to fix the flaw when initially discovered. The risk is that these vulnerabilities are too often left unpatched even when updates are available.
In the HP Cyber Security Report 2015, it was reported that "Based on our research into exploit trends in 2014, attackers continue to leverage well-known techniques to successfully compromise systems and networks. Many vulnerabilities exploited in 2014 took advantage of code written many years ago—some are even decades old." Cisco also reported in their 2015 Annual Security Report that, "Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches."
In addition to the risk of an attack due to an unpatched vulnerability, many organizations now fall under a regulatory rule like HIPAA, PCI, GLBA, NCUA, FINRA, SOX and others. While only PCI specifically calls out the need to patch systems, the others require you to protect client information which is understood to include patching security vulnerabilities.
The challenge to organizations of all sizes is how to keep up with the constant flow of information and make good decisions about which patches to apply, which to wait on and which to not do at all. Keep in mind some patches, including security focused ones, can introduce their own risks particularly around system stability and performance.
So what should organizations do to have a good patching process in place?The answer; every organization should have the people, processes and tools to effectively vet and push security patches out to all servers and workstations; or access to a service that manages it for them. At SE, we do the following to keep ourselves and clients up-to-date with newly discovered vulnerabilities and available security patches:
- Employ a dedicated patching team who proactively researches the constant flow of the latest vulnerabilities and patching information.
- Review available security patches for applicability and any known issues to determine which will be pushed out in that month's update.
- At SE, excluded patches go through a secondary review with a broader team to identify any specific product or client needs that might have these added back into the queue.
- Apply security patches to all systems then identify any systems that failed to update and report on patching compliance. Run monthly external vulnerability scans to identify any known issues such as Zero-Day vulnerabilities that may require additional actions.
- SE’s automated patching tool is used to push these out. Even mobile laptop systems that are working from a remote location will receive their patching packages as long as they are connected to the internet.
Security vulnerabilities bring significant risk and challenges for the IT department. Effective patch management must include dedicated people who can keep up-to-date on the latest security patches to maintain the integrity of your network security program.