Zero-day attacks may garner all the headlines, but the vast majority of compromised systems aren’t the result of such attacks. Most security problems occur when old, known bugs are exploited — bugs for which patches have been available for months or even years.
Attackers recognize this, and security teams should know it too, which is why proper patching always ranks high on the annual “Top 10” list of things to do to keep networks secure. That’s easier said than done, however, so here are five tips for keeping systems up to date.
Numerous software makers, including Microsoft, offer products to automate patch management, especially in managed Windows Active Directory environments. These inexpensive products are usually easy to manage and offer additional control over timing, bandwidth savings and centralized reporting. They deliver quick results with minimal investment.
Many IT managers equate patching with Windows clients, but every device on the network needs regular updates: Mac and Linux workstations, servers of all types, printers, embedded devices, network and security appliances, and anything with an Ethernet cable. It’s appropriate to pay a lot of attention to Windows workstations, but that’s only part of the picture. Proper patch management requires paying attention to every device.
Many IT managers see bring-your-own-device initiatives as fundamentally breaking their patch management strategy, which is accurate. But just because BYOD changes everything doesn’t mean that patching goes out the window. It simply means that personal devices call for a different strategy for patch management than managed devices.
Unfortunately, good BYOD strategies may not mesh with existing software update tools and security configurations. Savvy IT managers will find BYOD solutions that complement existing security practices, rather than require a network overhaul. Rethinking security strategies, such as patch management, is healthy — but BYOD doesn’t require starting from scratch.
One valuable lesson is that patch management tools need an automated auditor to check that things are being updated. Just because the patch management tool says that a network is 98 percent patched doesn’t mean that all network devices are really at that level of compliance.
Network access control products, which can verify the patch status of a device as it connects to the network, can perform this task. Using NAC for endpoint compliance checking tends to work best in well-controlled LAN environments, but not as well in heterogeneous, uncontrolled or WAN deployments.
Some IT managers turn to vulnerability scanners to gain the same type of information about endpoint compliance, a different approach that comes with its own pros and cons. No matter what technology is chosen, organizations need an independent view of the status of everything attached to the network —not just the devices that are entered into the patch management database.
Using the word “compliance” with patch management is dangerous, because compliance is often seen as a quarterly reporting task designed to keep auditors happy. Compliance reports are generated, filed and produced when required. In fact, the inevitable exceptions and problems require constant attention.
If a server is marked as unpatchable for some reason, such as software incompatibility, this needs to be addressed with more than a one-line justification on an exception report. For example, if senior leaders are at the biggest risk for targeted phishing attacks, their notebooks and desktops can’t be exempted from regular updates. A proper risk analysis is required for any exception. “Because she’s the boss” isn’t a good enough reason to disregard best practices.