25 May 2021

Corey Nachreiner, CTO at WatchGuard Technologies, emphasises the importance of getting the basics right with strong patch management

According to Gartner, 99% of the vulnerabilities exploited at the end of 2020 would have been known to security professionals and IT administrators at the time of the incident. By contrast, zero-day vulnerabilities accounted for approximately 0.4%. In fact, 80% of successful attacks exploit vulnerabilities that have known patches that have not been applied.

What is patch management?

Software developers issue patches to fix vulnerabilities in their software. All software has bugs and whether caused by design or deployment flaws, the sheer volume of code in systems and applications is bound to contain errors.

In Steve McConnell’s book, Code Complete, the average rate of errors in programming estimates there will be typically between 15 and 50 errors for every thousand lines of code. The level of risk associated with these bugs could range from a minor nuisance in stability, to the potential for a major data compromise.

Most security patches are in response to an identified vulnerability – possibly one that has already been exploited, called a zero day vulnerability. This means that applying these patches in a timely fashion is critical to security. Service Pack (SP) or Feature Pack (FP) updates are important patches that comprise a collection of updates, fixes or feature enhancements for a piece of software. They tend to solve a lot of pending problems, and usually include all the patches, hotfixes, maintenance and security patches released before the service pack.

Although testing and deployment of any patch may seem like low priority next to live monitoring and incident handling, the process is vital. The publication of a patch by a software vendor also notifies malicious actors of the potential vulnerability, which they will seize as an opportunity to exploit before patches have been applied. It’s a race against time for organisations to minimise the probability of a data breach, or risk regulatory non-compliance due to unpatched software.

An inconvenient truth

Software patches are a necessary inconvenience for IT administrators, as they are time consuming and can cause disruption for users; computers and servers often have to be restarted, which leads to interruptions to work. Because of this, updates are often put off, and recommended patches are ignored. However, what may seem like an innocent action could end up having serious consequences.

One of the main reasons that companies fail to regularly patch their systems is a lack of technical staff. Additionally, some updates can cause performance issues, while legacy systems may require a specific version of an application, so patching or upgrading may not be possible. In this case, controls like network segmentation to isolate the vulnerable system must be done as much as possible.

Top targets

The most widely used third-party applications are the main target for hackers. According to the Common Vulnerabilities and Exposures (CVE²) index, applications like Java, Adobe, Google Chrome, Mozilla Firefox, and OpenOffice, among others, have the highest number of vulnerabilities. There is also the increase in the number of attackers with the skills needed to discover vulnerabilities at higher speed. Once found, they can deploy programs that automate the exploitation of these new vulnerabilities, which are widely distributed and sold on the dark web.

Of course, don’t forget the popular server applications as well. At time of this writing, Microsoft had just released patches for a critical new zero day Exchange flaw that state-sponsored hackers and criminals were and are exploiting in the wild. This incident in particular is an excellent illustration of why you should patch as quickly as you can.

Time’s up

According to Ponemon, the average time it takes companies to patch applications or systems is 97 days. However, the average time it takes to see a cyberattack once a patch is released for a critical security vulnerability is 43 days, meaning there is an average risk gap of 59 days. Additionally, Ponemon says that 57% of victims of cyberattacks say that applying a patch would have prevented the attack. Thirty-four percent say that they knew about the vulnerability before the cyberattacks.
Cyber criminals are only getting better and faster at exploiting vulnerabilities, forcing companies to work against the clock to deploy patches. While it may be feasible to do this manually in small environments, automated patch applications are preferable. Automation ensures they are deployed as quickly as possible and consistently across the network.

Automated management enables not just efficient rollout, but more accessible metrics and reporting to give CISOs better visibility of the overall IT security programme. In the case of critical patches requiring tight timelines for deployment, organisations will often consider these as pre-approved emergency changes for their change management procedures.

Lessons learned

If there is any doubt about the importance of patch management, you only need to look back at all well-publicised breaches caused by a failure to patch a known vulnerability. Hackers have been known to exploit vulnerabilities just days after a patch is released, demonstrating that failure to patch quickly enough can endanger an organisation, as well as its customers.