Did you know that, according to a paper from the Center for Strategic and International Studies (CSIS), the vast majority of successful security breaches to corporate networks are made using basic techniques, and that by implementing just four critical security controls you could remove 85 to 90% of threats?
These four controls have been cut down from a list of 35 that a branch of the Australian government called the Defence Signals Doctorate put together based on their analysis of the cyber-attacks they were subject to. The four controls are:
- Regular Operating System Patching
- Regular Application Patching
- Application Whitelisting
- Removing unneeded Administrative Privileges
I will begin by delving into what a patch is, the benefits of applying patches, the reason that patches are sometimes not applied, and how 1E can help with patching. Other blogs later on will focus on the other areas.
Software patches are written to fix bugs and secure vulnerabilities within software once the software has been released and are typically provided at regular intervals for people to download. The patch should be installed as soon as is possible because what the vendor is actually saying is “we have found an issue with our product that we have deemed necessary to fix”. The seriousness of the vulnerability that the patch fixes are indicated by the severity level it has been given. Microsoft use low, moderate, important, and critical; the definition of each can be found here. Needless to say that important and critical patches must installed with a degree of urgency as once they have been released the hackers along with everyone else are informed that there is a vulnerability that can be taken advantage of, so time is of the essence.
The benefits of application patching are widely documented, vulnerabilities are removed and the software is better than when it was released. Many would-be hackers rely on the fact that a great deal of applications and operating systems are unpatched but are well publicised so need to not look very far to locate a suitable way to get into your systems; the paper written by the CSIS further claims that 75% of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching alone. So why don’t companies patch their software in a suitable timeframe?
Some don’t think it is a problem because patching can be automated using systems like Configuration Manager, and therefore it should just take care of itself, but there are factors that arise that can make patching a more challenging task even though the vast majority of software patches are free to download, for example:
- If the device is switched off during the automated patching schedule then it cannot be patched and any vulnerabilities will remain.
- Often patches (especially security patches) require the user to reboot the device in order for a patch installation to complete, if a reboot is not carried out the patch is in effect not applied.
- The patch has to be delivered over limited bandwidth to remote locations or the bandwidth is heavily used.
All these factors can lead to ineffective patching and in some cases no patching at all. However it doesn’t have to be this way, there are technologies available that can help with the challenges described above. 1E can help you Benchmark your patching levels so you understand what your risk level currently is, as well as show you whether patches are deployed in a timely fashion. NightWatchman and Nomad can ensure that software is delivered utilising the available bandwidth for effective delivery of software including patches even if the device is switched off, and can ensure that devices are rebooted so patches are applied. So you don’t have to have unpatched and therefore unprotected software in your environment.
To request a free trial of any of the 1E solutions or to find out how 1E can help you identify what your patching levels currently are and how our products can help you with effective patching please contact us.
In Part Two of this series I will go into some detail on Application Whitelisting.