(October 2020) Effective patch management is among the most important cybersecurity controls in any organization. It’s also one of the most time-consuming, challenging, and exasperating tasks IT teams must tackle.
It is incredibly difficult to keep pace with the number of hardware, software, and operating system vulnerabilities that need patching. More than 12,000 common vulnerabilities and exposures (CVEs) were discovered last year — an average of more than 230 per week. Very few companies have the manpower to test and apply patches fast enough to prevent cybercriminals from exploiting one of those CVEs.
The U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, estimates that about 85 percent of all successful network intrusions result from unpatched systems. Most involve patches that are available but not yet applied.
Another issue is that organizations tend to focus most of their patching efforts on Microsoft and Windows environments, even though many other products contain critical vulnerabilities. Adobe Flash Player, for example, has required hundreds of patches over the past few years and one particular vulnerability was considered to be the single most-exploited software flaw of 2019. A separate Flash Player vulnerability ranked No. 4.
These ongoing security issues led the major browser makers to begin phasing out Flash Player in recent years, and the software will reach end-of-life-status on Dec. 31. After that, Adobe will no longer distribute the software or provide security patches or bug fixes.
When organizations continue to run end-of-life (EOL) software such as Flash Player and Office 2010, which is no longer supported as of Oct. 13, it further complicates the patch management process. Without ongoing patches, these applications become inviting targets for hackers who actively look for unsupported software in order to exploit vulnerabilities. Identifying and eliminating EOL software should be part of a comprehensive patch management plan.
Here are some other patch management best practices:
Conduct a system inventory.
The internet makes it easy for employees to download and install software they’d like to try out. As a result, organizations often have no idea how many applications have been installed on their systems. A complete inventory will help you understand where you are potentially vulnerable. An inventory will also help you keep track of apps that are nearing EOL.
Vendors may issue hundreds of patches in a single day. Rather than simply applying them in alphabetical order, take the time to prioritize based on risk. Address the critical issues first and save the routine patches for later.
Test patches before applying.
Patches rolled out without proper testing can create compatibility issues that create significant downtime. It is not uncommon for a patch to fix one issue only to break another. Testing can work out any bugs or potential incompatibilities before patches are applied in the production environment.
Apply as soon as possible.
Once a patch has been vetted, put it into production as soon as possible. A good rule of thumb is to deploy a patch within 30 days of its release. If possible, deploy operating system patches even sooner.
Establish a maintenance window.
Designate a date and time each month when patches and updates will be applied. Communicate this within your organization. Establishing a regular patching cadence allows for better coordination among application stakeholders and helps employees plan for any downtime. Emergency patches can still be applied as needed based on severity.
Be prepared for reboots.
More than 90 percent of patches will require system reboots and some of these reboots will take longer than usual. Try to schedule patching for a time when reboots will not disrupt operations.
Have a rollback plan.
Make sure you have a good backup of all systems before patching. After applying, have key application stakeholders test functionality to ensure all systems are running properly. In case of problems, a rollback plan will allow you to return to the pre-patched environment.
Creating a best-practices framework is essential for dealing with the huge numbers of vulnerabilities and patches organizations face. However, even a good plan can’t compensate for staff and time constraints.
One way to tackle the issue and reduce your risk is by working with a trusted managed services provider such as Mainstream Technologies. We have the tools, manpower, and experience to make sure patches are prioritized, tested, and applied in a timely manner. Give us a call to learn more about how our services can eliminate lapses in patch deployment and boost your overall security posture.
ABOUT MAINSTREAM TECHNOLOGIES
Since 1996, Mainstream Technologies has established itself as one of the most respected Arkansas technology companies with headquarters and data center facilities in Little Rock, and sales offices in Conway and Bentonville. Mainstream’s full range of technology services includes IT Management and Consulting, Custom Software Development, Cyber Security, and Data Center Services. Our team of experienced technology professionals serves public and private sector customers across the United States.