The risks of ineffective patch management
A string of high-profile ransomware attacks in recent years, led by the WannaCry attack in May 2017, has led to a growing awareness among the business community on the importance of proper patch management.
Just as your iPhone regularly alerts us to a new system upgrade, so computer networks must update their software to address vulnerabilities, which left unattended could lead to a serious cyber breach.
The importance of patch management was highlighted in a recent webinar featuring Scott Reardon, Director of Global Technical Services at Eze Castle Integration.
Beyond simply complying with expectations, patch management is an essential line of defence in cybersecurity protection. As Microsoft’s President, Brad Smith, once noted, as cyber criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.
Otherwise, they are literally fighting the problems of the present with tools of the past.
“Patch management is really applying new or changing existing code to a software program,” said Reardon. “It stems from enhancements to bug fixes and in today's world it's more popularly associated with security fixes. It is definitely a lot more complex than when I started out in the IT industry.”
Way beyond Windows
People tend to associate patch management with PC systems running Windows but it extends far beyond that, affecting pretty much any type of computing device or network devices such as routers, switches and firewalls to a name a few.”
In the first instance, therefore, a good patch management program is one that first identifies the patches, acquires them, tests them, installs them and then verifies them. This can be a lengthy and detailed process, for businesses of any size.
Poor patch management can leave an organisation’s data exposed, subjecting them to malware and ransomware attacks where data is hijacked unless a ransom is paid; typically in the form of Bitcoin. “I think the Equifax breach in September 2017 could have been prevented had they moved forward with their patching discipline,” said Reardon. He advised that scheduling proper maintenance windows for servers and having a backup to those servers was an important measure to reduce security gaps and mitigate the risk of business interruption.
“WannaCry and Spectre are interesting cases because those vulnerabilities were always available, they just weren’t exposed. WannaCry’s file sharing protocol SMBv1 was the source of the attack but version 2, SMBv2, has been available since Windows Vista/Windows Server 2008. Some vendors chose to move their applications to SMBv2, others chose not to for whatever reason, because they felt there was no risk.
“Therefore, it is really important to make sure you're working with your application developers are using current best security practices,” explained Reardon.
Spectre and Meltdown are an entirely different beast. It is believed that every computer chip manufactured in the last 20 years contains fundamental security flaws. Although not exploited, both Spectre and Meltdown represent potential attack surfaces on the CPU for cyber criminals to misappropriate people’s data.
Reardon explained that the fixes that have come out from various manufacturers such as Dell and Hewlett Packard introduced code that could potentially address these issues but often imposed resource constraints “and added more overhead to your processing, which sacrificed your ability to use your applications at top capacity”.
One of the other features of ineffective patch management is a reliance on legacy applications.
There are many reasons why organisations allow this, from fear of change to perceived inconvenience or time or budget constraints.
“The reality is that firms should not hit the snooze button on something like this. However, sometimes people miss the security risks that are presented as a result of relying on legacy applications,” said Reardon.
With the widespread adoption of the cloud, application providers usually upgrade clients’ systems automatically, so they don’t really have much of a say as compared to in the past. The cloud doesn’t ask for your permission. It applies upgrades automatically to every client using the application.
“You really don't have a lot of say when it comes to when you upgrade or not. It depends on your cloud provider, but there are good rewards for being on the cloud; when the patches work well then you are consistently up to date.
“But you have to weigh up the pros and cons: Can you continue with your business should a cloud provider be down? When a cloud provider patches you, will your application continue to run as expected? Working your integrations into cloud-based products and understanding those integrations are key to reducing that risk,” explained Reardon.
Organisations should be mindful that not all patches are beneficial. In the last couple of months, Microsoft has released a few “bad patches”. This can occasionally happen, even though extensive testing is done in their own environment before a patch is released to the general public. Nothing is ever 100 per cent perfect and the odd “bad patch” slips through the cracks, which when released, can cause downtime.
“I recall a recent issue where if you had a virtual machine and it was set with a static IP address, a Microsoft patch would basically wipe out the configuration of the virtual network card and you would lose communication to it.
“It is important to understand what patches you are applying, the risks that are associated with those patches that are being deployed, and then testing them in an environment before you deploy them,” advised Reardon.
Even then there is no 100 per cent guarantee that you are going to be protected but at least having a good testing methodology can reduce the risk of deploying bad patches.
Reardon pointed out that Eze Castle Integration had successfully excluded a number of patches for its clients lately “because working with some of our vendors, we discovered that a patch would cause an issue with a particular application and prevented it from being deployed”.
Working with vendors and developing a patch management strategy takes time and resources, which smaller fund managers simply do not have the luxury of. Ultimately, an effective strategy comes to three key components: people, process and tools.
The RACI Chart
Reardon referred to what he calls the “RACI” chart, with respect to the people component, which needs to be driven from senior management in a top-down approach, to set a clear course on how to deal with patch management.
A RACI charts means having responsible people, accountable people, consulting people and informing people.
“You need to elect someone in your organisation who is accountable for the success of the patch management strategy. If there's nobody accountable, it's definitely going to fall through the cracks,” said Reardon.
“Then you need somebody responsible for it. That could be the same person as the accountable person, but they need to make sure that they are patching and complying with their patching. So it's one of those things to do and set it up, but then you need to verify that it's working. The only way to do that is by having a responsible individual within the organisation dedicated to ensuring that is happening.
“Then you need to consult with other people - a CSO or a security team - to help analyse your risk of applying patches. Here at ECI, we have what's called a security incident response team. So we take those risks and analyse them and understand them to determine what impact this would have on our client base.
“Finally, there is the informed aspect. All business units within your company need to be on the same page regarding the philosophy and maintain a high level of communication.”