Patching: The least understood line of defense
by Doug Barney - GFI Software - Friday, 29 August 2014.
When it comes to security, only a total dope doesnít understand firewalls, anti-virus and at least the basics of passwords.

But how many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not. Our clients and especially our servers are exposed to all kinds of grief unless they are regularly and properly patched.

Even IT pros that understand patching too often hate it. Because of myriad systems involved, and the large number of patches, the process is not just constant, but can be extraordinarily complex. One canít just install a patch and forget it, as with Windows Updates where the fixes are well vetted. On servers in particular, patches may need to be tested, then installed, and too often reinstalled due to a bad patch or software conflicts. All to defend against an attack that may or may not happen.

Unfortunately these attacks do happen all too often. The problem is two-fold. First, too few IT regularly patch. In fact, only 36% of small companies patch consistently according to a recent study by the UK-based Federation of Small Business. That leaves an awfully big hole, as some 90% of exploits that succeed are made against unpatched systems.

So why are hackers so keen on exploiting unpatched systems? Because it is so darn easy. You see patches fix holes, and in doing so actually identifies the hole. Knowing that not all people and shops will install the patches; hackers create exploits that attack these unpatched vulnerabilities.

The answer here is obvious: patch your clients and servers! The most obvious software to patch is from Microsoft as they are the most ubiquitous and used to be the most frequently attacked. This is no longer true. Bigger targets now include Adobe, Java and even Firefox. It not usual for Oracle to release dozens of Java fixes in a single month, and that number at times has hit well over 100.

The answer: patch well and often

Patching can be a complex process. There are more and more systems to patch and an ever increasing number of holes to fill. Some patching is fairly simple as Windows Update which pretty much installs the fixes itself. Other patches are less automated. And when patching complex systems such as server apps, these fixes can cause conflicts and instability requiring IT to perform conflict testing before rolling out the repair.

The whole affair is far too complex and time-consuming to be done manually. With an automated patching solution, the tool should be multi-platform, gather up the patches, set some priorities, and automatically install the patches properly.

Here are a few other tips to make patching easier and keep your systems safer:

Tip 1. Admit that you have a problem

With only 36% of small shops patching regularly, it is clear that most donít think there is a problem. At the same time, these shops are most likely fixing security problems they donít even realise came from a lack of patches.

Tip 2. Become a patch expert

By becoming a patch expert you can stop 90% of all successful hack attacks against you and your company. Articles like this are a good way to start, as are your key software vendors whose software you need to keep up to date anyway.

Tip 3. Pick tools and craft your processes

With your newfound patching knowledge, you should be ready to define proper processes and procedures. For larger shops this also means create a team responsible for patching.

Processes include inventorying systems, applications and operating systems, and their current patch status. An asset management system often built into patch management tools is helpful here.

The tool you pick should also be multiplatform, automated as much as possible, and able to install updates and vendor service packs.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th