Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
Software vulnerability continues to be a challenging cybersecurity risk. Cybercriminals are able to seize on these vulnerabilities and breach systems. The time between the discovery of a vulnerability to an attempted exploit is shrinking. As organizations and IT leaders deal with more complex infrastructure, distributed teams and growing application use, following software vulnerability patching best practices is imperative. No matter what your vendors say, patch everything.
In this post, we’ll discuss the patch management process, security patches, a vulnerability management program, patch management vs. vulnerability management, and the dangers of not patching.
Security patches and why they matter
Vulnerabilities in software are a common occurrence. The National Vulnerability Database (NVD) collects statistics around Common Vulnerabilities and Exposures (CVE), with over 15,000 collected in 2020 thus far.
Security patches address any discovered vulnerabilities that software companies identify. The patch consists of a set of changes for the code to fix bugs that could lead to cybersecurity incidents. The patch usually applies to one component of the software.
Any business, no matter the size or type, prioritizes data security and privacy. In a cybersecurity program, security patches are an essential aspect. In a vulnerability survey, 60% of the breaches in 2019 were most likely preventable with patching. A patch was available in these cases but not applied.
Security patching is most useful as a proactive cybersecurity measure rather than a reactive one. Just because the software manufacturer releases the patch doesn’t mean every device that uses it will receive the update. In some cases, vendors may downplay the risk. Their position on the matter shouldn’t impact what you know to be best practices. To ensure you have a strong cybersecurity culture, create and follow a patch management process and vulnerability management process fervently.
Will every security patch from the software vendor come with dire warnings? Not likely. Software companies just like any other organization don’t like to bring too much attention to mistakes. Regardless of how your vendor presents the patch, do it immediately. The consequences of not doing so could jeopardize your business.
The patch management process
The patch management process can be manual or automated and includes the constant updating of the software your company uses. Software companies release patches regularly, but this doesn’t mean every organization has a process to manage updates cohesively and consistently.
According to a survey of IT managers, 72% said they are “afraid” to apply security patches right away because they fear they may “break stuff.” That’s because security patches can affect system functionality and performance. Unintended consequences are simply a byproduct. The solution for such a predicament is patch testing, but that’s not possible for most cybersecurity teams executing these manually.
A patch does interject new code into applications to fix a specific issue. It can often be a temporary fix until the company rolls out its official new version. Failure to patch can result in adverse consequences if cybercriminals get the chance to penetrate your network.
Manual patch management creates more risk and opportunity for breach
To have a formal process in place, you need a team that manages what applications you’re running and when fixes need to occur. The trouble with the patch management process often occurs with manual updating.
A vulnerability report found that 61% of companies are at a patching disadvantage due to manual processes. In fact, the report found it can take 12 days for teams to coordinate a patch across all devices. That’s a considerable amount of time that cybercriminals will exploit if given a chance.
Automating and centralizing patch management
While software companies do send patches to applications, if you’re managing a series of machines, it’s not an easy practice to run new installs individually. Automating and centralizing patch management is more efficient and more secure. You’ll be able to schedule updates from the administrative level to affect all devices in your network. Even in cases where software patches automatically update, you still need a check and balance to be confident in the security and reliability of the application.
What is a vulnerability management program?
Not addressing vulnerabilities is a huge risk for any organization. It’s the leading cause of breaches, including the WannaCry malware, which exploited the backdoor from the NSA (National Security Association). Microsoft was aware of the hack and released patches. However, organizations were slow to adopt them.
Without this vigilance around managing vulnerabilities, such an incident could happen again at any moment. The reality is that it’s not easy to manage vulnerabilities on your network. If it were, it wouldn’t be such a popular topic. Organizations that want to stay ahead of it should develop a vulnerability management program.
Such a program includes identifying, classifying, remediating and mitigating vulnerabilities. It’s no longer an option for most companies and is a requirement for many compliance, risk and audit management frameworks. With such a program, you can gain clarity because you cannot manage what you cannot see.
Stages of a vulnerability management program
If your organization is going to have a sound program, it requires these four steps.
- Identification of vulnerabilities The first and most crucial step is discovering the vulnerabilities in your network. Vulnerability scanning looks at all accessible systems that exist — hardware, software and every other element. With any program, you should be continually scanning; however, that’s not always common practice, as 37% of organizations admit they don’t do it at all. The scanner finds any open ports and services running on your systems. It logs into them and collects details. From this intelligence, the scanner attempts to correlate them to any known vulnerabilities. It then provides data to users to develop reports, metrics and dashboards.
- Evaluation of vulnerabilities
Not all vulnerabilities are equal. After identification, you’ll need to evaluate each vulnerability, which is a difficulty for many organizations. In fact, 65% of businesses say prioritization is too hard. A common framework to use is the Common Vulnerability Scoring System (CVSS). The Forum of Incident Response and Security Teams (FIRST) maintains the open frame CVSS. It standardizes how you rate vulnerabilities. It uses three metrics for evaluation:
- Base: Represents the characteristics of the vulnerability, looking at exploitability, scope and impact.
- Temporal: Relates to a vulnerability that changes over time with components of exploit code maturity, remediation level and report confidence.
- Environment: Addresses how the vulnerability impacts your specific organization based on security requirements and modified base metrics. Once you’re able to score vulnerabilities consistently, you can then prioritize them better.
- Treatment of vulnerabilities
After prioritization, it’s time to triage. Scoring is essential to know what to treat first. You also have to consider the needs of all your stakeholders, internal and external. You can treat vulnerabilities in three ways:
- Remediate: Apply the patch or update to the software or system, so it’s safe from exploitation.
- Mitigate: If remediation isn’t an option because there is no patch or there are issues in updating the applications, then you move to mitigate. This may only be a temporary solution, but you can implement compensating controls to “buy time” and reduce risk.
- Accept: If the vulnerability scores low and the cost to remediate is too high, some organizations may just accept it and take no action. In providing remediation, it’s a group effort of security, development, administrators, and any others with a stake. Having processes in place and agreed upon helps this step along faster. For those vulnerabilities you do remediate or mitigate, it’s a good idea to rescan just for additional peace of mind.
- Reporting of vulnerabilities
Finally, the reporting of vulnerabilities is an excellent best practice. It can help improve the speed and accuracy of future vulnerability treatment. Having visual reporting capabilities keeps these concerns top of mind and allows for data collection and analysis.
Your team can find insights into your program to determine what remediation activities provide the most optimal outcomes. Tracking trends over time will help you build an even stronger cybersecurity program.
Final thoughts on vulnerability management programs
To continue to hone your program and lower risk, keep these tips in mind:
- Perform comprehensive scans that look beyond physical devices. You need to scan your cloud as well, which is even more important if that’s where your applications reside.
- Scan continually: Your IT environment is always changing, and identification of new vulnerabilities is ongoing. It’s not something to do just here and there.
- Introduce automation to the process: Automated scanning is efficient and can handle any scale. The human element will always be necessary but for repetitive work, use automation.
- Address the user’s role: Vulnerability exploitation isn’t something that happens through back doors all the time. Your users can play a role if they fall for phishing scams. Keep your employees aware with phishing simulation exercises.
- Patch everything, regardless of how critical the software provider describes it as. Treat every patch as though it’s urgent and critical.
Patch management vs. vulnerability management
Patch management and vulnerability management aren’t the same. They are related processes but have differences.
Patch management pertains to updating software or systems. In this scenario, you are looking for assets that do not have a necessary patch. Patches are also updates from the vendor of the product. These patches aren’t just security fixes. They often contain new features or upgrades as well. The owner of the software or system defines what these are, and, in some cases, they don’t fix the security issue. Patch management is one part of a cybersecurity program. It’s not absolute.
Vulnerability management is a discovery process of finding assets on your networks and locating any security vulnerabilities. The scanning tools that do this alert you to the vulnerabilities and offer remediation advice. As noted above in the vulnerability management program, not every solution is a patch. You have to determine the priority of the vulnerability then take a course of action to treat it. If there’s no patch, you may have to initiate a workaround by reconfiguring or even turning off some components.
With patch management vs. vulnerability management, it’s not one or the other. Rather, you need both. With robust tools to manage both, you can provide the most secure network.
What if vendors downplay the risk?
Is the vendor always right? Is what they say about their patches and urgency always ring true? No because they need to maintain confidence in their product, and they cannot know the impact to your specific use cases.
Software companies can actually downplay their importance. Citrix did just that earlier this year. They released patches for 11 CVE-listed security vulnerabilities. The updates didn’t come with dire warnings about the risk of bug fixes, but former NSA (National Security Administration) hacker Rob Joyce countered the fixes as “much-patch” vulnerabilities in a tweet. In fact, one of the 11 fixes included a flaw that could sling malware downloads.
Software vendors certainly want their software to be as secure as possible, but they can’t accurately define your level of risk. That’s something only you can do by having a vulnerability management program. You’re ultimately in control and responsible for the security of your infrastructure and applications, which means patch everything immediately.
Improve vulnerability and patch management
Vulnerabilities will remain one of the most integral parts of cybersecurity. The sheer volume makes them an easy target. Not only are the tools you use to manage vulnerability and security patches critical, having the right skill sets are as well. These topics are part of the Certified Information Systems Security Professional (CISSP) field. You can view Infosec’s CISSP vulnerability and patch management resources here.
Security Patching is Hard – Survey Results 2017, 0patch Blog
Common Vulnerability Scoring System SIG, first.org