The Patching Problem: Best Practices for Maintaining Up-to-Date Systems

“Update ready to be installed.”

IT teams and business stakeholders are probably familiar with this notification, or something like it. After all, software updates are nothing new: Whenever a vendor makes improvements or includes new capabilities on a previously-released platform, it comes with a software update.

But boosting existing features aren’t the only reason that patching is important.

Vulnerabilities and the consequences of late patching

As Trend Micro noted in its “Unseen Threats, Imminent Losses” report, there were two major vulnerabilities found at the beginning of 2018 within popular microprocessing solutions – and these were far from the only weaknesses discovered.

“Trend Micro published more than 600 vulnerability advisories in just the first half of 2018.”

Trend Micro alone published more than 600 vulnerability advisories in just the first half of 2018. While software is typically thought of as the focus for these advisories, as with the case of the microprocessing issues, hardware vulnerabilities requiring firmware patches became more prevalent this year as well.

“Hardware vulnerabilities present a complicated problem for IT admins,” Trend Micro’s report stated. “Along with these hardware problems, IT admins also had to deal with vulnerabilities disclosed by major software vendors. Major vendors release regular patches as disclosed vulnerabilities are found and fixed, but enterprises still have difficulty securing their networks.”

Exploiting known weaknesses is a top strategy leveraged by hackers. Therefore, organizations must be sure to apply and deploy patches as quickly as possible after they are released by hardware and software vendors. This significantly reduces the chances that these known weaknesses or issues could be used against the business within an infiltration or cybersecurity attack.

Firmware patches: Unique complications

As Trend Micro pointed out, while software patches certainly come with their own challenges – including the sheer volume of updates released on a regular basis – patches that impact hardware elements can present considerable complications for an enterprise’s IT team.

“Applying firmware patches across all affected devices is much more difficult,” the report stated. “In addition, some of the patches affect the system performance of older devices, compounding the impact on the business.”

While this was in relation to the microprocessing hardware vulnerabilities and associated firmware patching specifically, hardware updates of this kind can make it difficult for businesses to ensure that all weaknesses and issues within their infrastructure elements are continually addressed.

“The pressure to keep networks operational make patching a perennial problem for administrators,” the report noted.

SCADA vulnerabilities

In particular, the cybersecurity landscape saw considerable advisories tied to SCADA (supervisory control and data acquisition) platforms, used by organizations across a number of major industry sectors.

Overall, there was a 30 percent increase in SCADA vulnerabilities seen during the first six months of 2018, compared to Q3 and Q4 of 2017. Many of these involved issues or weaknesses in human-machine interface SCADA software, which can provide key details for hackers.

As Trend Micro researchers pointed out, attacking a SCADA system may just be step one within the breach processes for malicious actors, as this information could be a springboard, providing reconnaissance information about the business and its processes to better inform future attacks.

While the number of SCADA vulnerabilities increased overall, research shows that vendors are much more responsive when creating patches for these identified weaknesses. This year, Trend Micro researchers observed a 77 percent decrease in zero-day SCADA vulnerabilities, compared with the second half of 2017. This does not, however, mean that enterprise SCADA software users can be lax when it comes to the security of their platforms.

“While this is a welcome improvement, the sheer number of discovered vulnerabilities highlights why enterprises in critical infrastructure sectors should stay on top of SCADA software systems and invest in multilayered security solutions,” the report noted.

Unpatched systems leave the door open for malicious actors to exploit known vulnerabilities.

Lessons learned from WannaCry and Petya

SCADA and other vulnerabilities may pale in comparison with the types of widespread vulnerabilities that IT teams have likely seen in 2018 and particularly last year. WannaCry, especially, affected hundreds of thousands of systems across the globe, demanding that victims pay ransom in untraceable cryptocurrency for decryption of critical files and data.

As intelligence researchers relayed, this resulted in billion-dollar costs in “stalled operations and lost revenue” for organizations that fell victim to WannaCry.

After WannaCry, Petya emerged, with the similarity between these two being the fact that they leveraged the same, previously patched vulnerability: MS17-010, dubbed “EternalBlue.” Due to the widespread impact and associated losses, these cases, in particular, shined a key spotlight on the issue of regular patches and patch management.

“Despite the availability of a patch that could have prevented an infection, many companies and users still had vulnerable systems,” Trend Micro indicated in its research. “This situation only begs the question: can we fix the lag between patch release and application?”

How to overcome patch management struggles

One 2015 study found that some organizations don’t put updates in place until as many as 100 days after patches are released. Thankfully, this attitude has changed a bit in the wake of vulnerabilities like WannaCry and Petya.

Here are four key best practices to consider implementing within enterprise patch management processes:

  • Awareness and automation: While impacts from WannaCry and similar attacks certainly send a message, one of the first steps in improving an updating strategy is to ensure awareness of the importance of timely patches. A 2017 study from Forbes and BMC found that businesses are becoming more dedicated to this, and are increasing their investment in automated patching solutions to help. Overall, 43 percent of executives said they’re working with their IT team to make patching a more critical priority.
  • Avoid ad hoc patching: While ad hoc patching may take place in certain instances, using this as a regular strategy can become a serious issue for today’s businesses. It’s important that executives and IT leaders work to avoid ad hoc patching, and utilize a more holistic approach and regular schedule to ensure that updates are applied as soon as possible to affected hardware and software.
  • Prioritize appropriately: Timeliness is one of the biggest challenges of patch management – sometimes, it simply isn’t feasible to apply a patch the same day (or even week) that it’s released. Other IT initiatives and important projects may not leave enough time to devote to these pursuits. As TechRepublic contributor Mary Shacklett noted, certain patches, like those strictly for performance improvements and other non-critical bugs, can be put off. But updates related to security vulnerabilities should always be prioritized and applied as quickly as possible.
  • Test patches after installation: Once a patch is in place, however, the IT team’s work isn’t completed just yet. It’s imperative that IT admins test patches after they’ve been installed to fully ensure that they work appropriately and that weaknesses have been addressed.

Trend Micro offers several key solutions to help with patch management, including Deep Discovery, Deep Security and Vulnerability Protection. Contact us today to learn more.