In today's world of technology small to medium businesses face ever-growing numbers of cyber threats. As technology evolves, so do the tactics of cybercriminals, making it crucial for businesses to stay one step ahead. One of the most effective ways to protect your business from these threats is through robust patch management – a protective measure often overlooked.
This blog is written by Myles Peart, technical director at NetSec. NetSec in collaboration with the Cyber Resilience Centre for Wales aims to provide comprehensive support and resources to help businesses implement effective patch management strategies. We understand the unique challenges that SMBs face every day in managing IT infrastructure and security.
We hope you find this helpful and welcome any feedback by sending your thoughts to blog@netsec.org.uk.
What is Patch Management?
Patch management is the process of identifying, obtaining, testing, and installing updates to software and systems. These patches are designed to fix vulnerabilities; known as security gaps.
Why is Patch Management Important?
Security
Compliance
Performance
Cost Savings
Cybercriminals often exploit known vulnerabilities in software to gain unauthorised access to systems. Regularly applying patches helps close these security gaps, protecting your business from potential breaches. Many industries have regulatory requirements that mandate regular patching of systems. Staying compliant not only avoids legal penalties but also builds trust with customers and partners. Patches often include performance improvements and bug fixes, ensuring that your systems run smoothly and efficiently. Addressing vulnerabilities through patch management can prevent costly data breaches and downtime, saving your business money in the long run.
Why Patch Management is Often Overlooked
Despite its importance, patch management is often overlooked by SMBs for several reasons. Many SMBs operate with limited IT resources, making it challenging to keep up with the constant stream of patches and updates.
Some business owners may not fully understand the critical role that patch management plays in cyber security.
Managing patches for a variety of software and systems can be complex and time-consuming, leading some businesses to delay or skip updates altogether. However, overlooking patch management can leave significant security gaps that cybercriminals are eager to exploit. It's essential to recognise that patch management is an ongoing process that requires continuous attention and effort.
The Role of CVSS Scoring in Patch Management
The Common Vulnerability Scoring System (CVSS) is a standardised framework used to assess the severity of security vulnerabilities. CVSS scores range from 0 to 10, with higher scores indicating more severe vulnerabilities. Understanding CVSS scores can help SMBs prioritise patches based on the potential impact of the vulnerabilities they address.
Here’s a summary on how CVSS is used to rate vulnerabilities:
Critical (9.0-10.0): Vulnerabilities with a critical CVSS score should be patched immediately, as they pose a significant risk to the business.
High (7.0-8.9): High-severity vulnerabilities should also be addressed promptly to prevent potential exploitation.
Medium (4.0-6.9): Medium-severity vulnerabilities should be patched in a reasonable timeframe, balancing the risk with available resources.
Low (0.1-3.9): Low-severity vulnerabilities may not require immediate attention but should still be patched as part of regular maintenance.
By leveraging CVSS scores, SMBs can make informed decisions about which patches to prioritise, ensuring that the most critical vulnerabilities are addressed first.
Best Practices for Effective Patch Management
Establish a clear policy that outlines the process for identifying, testing, and applying patches. This policy should include roles and responsibilities, as well as timelines for patch deployment. If your business is Cyber Essentials (including +) certified, the requirement is to patch high risk vulnerabilities within 14 days.
Utilise automated patch management tools to streamline the process. Automation ensures that patches are applied promptly and reduces the risk of human error. Operating system patches require device restarts, so consider using tooling which provides scheduled restarts to avoid users preventing them from being applied. Modern patch management tooling provides customisable settings – for example, users can delay a restart but only a certain number of times and for a restricted length of time.
Not all patches are created equal. Prioritise patches based on the severity of the vulnerabilities they address and the criticality of the systems they affect.
Always test patches in a controlled environment before deploying them to production systems. This helps identify any potential issues that could disrupt business operations. This doesn’t have to be the case for all patches, but critical systems should be carefully considered.
Continuously monitor systems for new vulnerabilities and review the effectiveness of your patch management process. Regular audits can help identify areas for improvement.
Choosing the right tooling is key to success with patch management. Quickly it can become a large task and without adequate software lifecycle management, it can easily leave gaps. Application control (or known as whitelisting/blacklisting) is also another feature to consider managing the introduction of new software – patch management and application control go together.
Many platforms such as G-suite or Microsoft have built in tools, however managing third party applications has always been a tough task. There are third-party products that integrate with Microsoft and gives overall visibility of each device, the installed apps, and can deploy third party patches without any user intervention.
So, let’s look at some real-world examples.
Example 1: Consider the case of a small retail business that experienced a data breach due to an unpatched vulnerability in their point-of-sale (POS) system. The breach resulted in the theft of customer credit card information, leading to significant financial losses and reputational damage. By implementing a robust patch management process, the business could have prevented the breach and safeguarded their customers' data.
Example 2: Consider the case of a medium-sized manufacturing company that faced frequent system crashes and performance issues due to outdated software. After adopting an automated patch management solution, the company saw a marked improvement in system stability and efficiency, allowing them to focus on their core operations without disruptions.
Example 3: On June 27, 2017, confused Maersk employees are showing up at the IT helpdesk with their laptops in their hand. The numbers were increasing by the minute. Their laptops were encrypted and very much useless at this point. Maersk was hit with the most popular ransomware attack in the history of the internet. 56,000 devices were encrypted in just a few minutes. 100% of the devices connected to the Maersk network were encrypted. Maersk ships 25% of the world's food supply and the whole operation came to a grinding halt due to this ransomware attack.
What happened?
There are several lessons to learn from this story and the biggest one is about securing your systems. The attack on Maersk originated from their supplier that provided the accounting package to the company. The supplier’s servers got compromised due to vulnerability from a lack of patching, and the malware was injected into the software update and every company that’s using the package was hit.
The attack cost Maersk a total of $350,000,000 and an overall cost of $10 billion to all the businesses that were impacted because of this particular ransomware attack.
These examples are just the tip of the iceberg. Patch management is a critical component of a robust cybersecurity strategy. By staying proactive and diligent in applying patches, SMBs can protect their systems, ensure compliance, and maintain optimal performance. Remember, the key to cyber resilience lies in continuous improvement and collaboration.
For more information on how NetSec and the Cyber Resilience Centre for Wales can support your business, visit our websites or contact us directly.
T: 02922676712
Comments