Patching The Problems
By Matthew McDonell, Full-Time Instructor at SecureSet Denver campus.
Many of the security breaches that have recently occurred have been caused by a lack of system patching in a timely manner. These unpatched systems are low hanging fruit for hackers to gain access into systems. Simply patching systems for vulnerabilities can significantly reduce the vulnerabilities available for advanced threat actors to exploit. Breaches like Equifax, WannaCry ransomware and many others could easily have been prevented with proper patch management policies and plans in place.
Patches contain fixes for one or more vulnerabilities. These fixes are identified by numbers assigned via the Common Vulnerabilities and Exposures (CVE) system, maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC). Without patches in place, older software will continue to have the same bugs and exploitable holes in the code that allow hackers and cyber criminals to get into systems. This is worsened by the fact that all of these exploitable entry points have generally been made public after the release of the patch updates.
Finding the exploits
Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years. The Software Engineering Institute estimates that 90 percent of reported security incidents result from exploits against defects in the design or code of software. Most compliance governances will require enterprises to roll out system patches within 30 days. This means that enterprises need to have a plan to install patches and prove that they have been installed properly.
Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
I have used several products in the past to help with patch management including: GFI LanGuard, Kace, WSUS and SCCM. There are many out there that can do patch management, reporting, scanning and much more. Some things to consider: Not all patch management suites are built the same. For example, some products are only capable of patching Microsoft products. Utilizing these products alone will cause you to miss a huge number of vulnerabilities. What about Flash, Java, Chrome and many other 3rd party software that requiring patching? You need your patch management tools to cover all of your bases.
We also need to consider MacOS, Linux systems, Android, IOS and any other system that may be integrated with our networks. All systems need to have patches installed and be capable of verifying that the low hanging fruit for hackers have been removed.
Putting a plan in place
When a patch is released, if under any kind of compliance, you will have 30 days to get systems fully up-to-date with patches. This means that you’ll have to roll out patches in stages based on how critical the system is. To do this successfully, you have to have a solid patching plan in place. Below is an example of a patching plan that I’ve used, and that you can immediately begin implementing.
Week one: Choose a few non-critical servers and a handful of endpoints to push the patches to, then monitor the system and talk to end users to verify that the systems are still working properly. Run both scans and reports to verify that the systems that were supposed to get the patches, got them properly.
Week two: Expand the push of patches to most non-critical servers and 200 endpoints. Then monitor the system and talk to end users to verify that systems are still working properly. Run scans and reports to verify that the systems that were supposed to get the patches, got them properly.
Week three: Expand all non-critical servers again, as well as a few critical servers and 1000 endpoints. Then monitor the system and talk to end users to verify that the systems are still working properly. Run scans and reports to verify that the systems that were supposed to get the patches, got them properly.
Week four: Expand to the full network of critical and non-critical servers and all endpoints. Monitor the system and talk to end users to verify that the systems were still working properly. Run scans and reports to verify that the systems that were supposed to get the patches, got them properly.
I would recommend WoL (Wake-on-LAN) on all endpoints to ensure that systems were turned on to receive patches. If a patch does cause trouble for your systems, uninstall that patch from the systems affected and remove the patch from the rollback plan. Write up a reason for not deploying that patch and contact the vendor to help resolve the issues that you are facing.
The bottom line here is to make sure that all systems are patched in a timely manner so that the low hanging fruit for hackers is resolved and not exploitable. As stated earlier, major security breaches could have been prevented with proper patching plans in place. The simple act of keeping your enterprise’s patches up to date can be the difference between cyber-defense and cyber-disaster.
Matthew McDonell is a Full-Time Instructor at SecureSet Academy’s Denver campus. Matthew is a 20 year IT experienced professional who has helped several large enterprises secure their operations. He architected and secured a top 1000 website company including implementing a Level 3 PCI-DSS compliance. He has led multiple teams, designing and implementing security policy and procedure thereby increasing the state of cybersecurity in those organizations.
