Let’s face it, installing regular system updates is a necessary evil. We’ve all seen the pop-ups in the corner of our screens, prompting us to install an update for this product or suggesting that an update is available for that product. How often do you take the time out of your schedule to actually install the updates your system is warning you about? Probably not as often as you should!
As a home user, your computer system is probably (and hopefully) configured to automatically install all relevant operating system updates as soon as they are available. But that is only part of the problem; most of your additional software needs updating regularly as well.
For the average home user, installing updates is a straightforward task and should take no more than 30 minutes per month.
Unfortunately, the same cannot be said of most organisations. Patching an organisation’s IT systems is a huge challenge for IT departments everywhere.
FACT: In the 9 months from January 2019 through to the end of September 2019, Microsoft released over 21,000 patches for vulnerabilities in its product portfolio. A Gartner report in April 2019 forecast that only 75% of corporate PCs will be running Windows 10 by 2021. Even removing a margin for Apple devices and minority other operating systems, this leaves an unhealthy amount of Microsoft Operating Systems that are no longer supported and are, therefore, not able to be patched.
Why do patches exist?
Cyber-attacks are generally reliant on exploiting unpatched vulnerabilities on the target computer, and the larger attack surface that results from an unsupported (or otherwise unpatched) operating system.
Having computer systems that are fully patched reduces the risks that accompany unsupported software.
Also, Cyber Liability Insurance may not cover an attack if you are not fully up to date with patching.
If you are an organisation that takes card payments, then you should already be aware of your PCI DSS compliance requirements. Patching is applicable to requirement 6: develop and maintain secure systems and applications.
“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”
So, from the above examples, you can see that not only is patching a fundamental part of managing your IT infrastructure, but it may also be a significant governance issue.
What should I patch?
It is generally good practice to keep all your systems fully patched with all vendor supplied software updates. However, a lack of time and resources can often make this good practice an unrealistic objective.
If your organisation is not able to meet the ‘patch everything’ objective, don’t panic – you are not alone! But this doesn’t mean you should not patch anything.
Most patches are classified as one of the four severities or risks below:
Severity / Risk Meaning
Critical: the update fixes a vulnerability whose exploitation could allow for the propagation of malicious software without user action.
Important/high: the update fixes a vulnerability whose exploitation could result in the compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
Moderate: the update fixes a vulnerability whose exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Low: the update fixes a vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
If you cannot deploy all available patches, you should make it standard practice to deploy at least the critical and important updates without question, every time any updates are made available.
All other patches still need to be installed and you should use your organisation’s risk appetite to determine the frequency.
Have you got a Patching Policy?
It is important to have a defined Patching Policy in place to define the security patching of all your IT assets (this should not be limited just to servers and desktop/laptop devices, but should also include network and mobile devices).
This policy should cover areas such as:
- What patches are released (all, or critical/important etc.)?
- Is it just Operating System patches, or application patches as well (e.g. Microsoft, Adobe, Oracle etc.)?
- What devices are included/excluded (and why)?
- On what schedule are patches released/deployed?
- Is there a defined process for deploying 0 day patches? (More on 0 day below)
When should I patch?
Ultimately, it depends on your environment, but you should aim to deploy patches as soon as is practicable. There are a few caveats to this:
- If you are looking to obtain Cyber Essentials Plus certification, you will need to be able to demonstrate that vulnerabilities with a severity the product vendor describes as ‘critical’ or ‘high risk’ are deployed within 14 days of release.
- If your organisation takes card payments and needs to be PCI DSS compliant, then critical security patches must be installed within one month of release.
If your organisation falls into both of the above categories, patches must be released within 14 days.
You should have a process in place for deploying emergency patches (often called 0 day patches) that vendors release for immediate installation to remediate against a critical vulnerability. These do not happen very often, but when they do, you should ensure that they installed in as short a timeframe as possible – ideally within 48-72 hours.
How should I patch?
If you have time and resource constraints, it will probably not be practical to patch every device manually. You should look at available tools to automate the deployment of your patches such as Microsoft Windows Server Update Services (WSUS). Depending on your environment, you may need to look at multiple solutions to cover all of your infrastructure.
If you have staff who work remotely, you should also ensure that any devices they use are able to be patched on a regular basis.