Patch Early, Patch Often

Happy Friday the 13th.  October is Cybersecurity Awareness Month and this week’s theme is Cybersecurity in the Workplace is Everyone’s Business.  Often it is the simple things that work the best.  Running automatic Windows and Microsoft updates, and applying updates and patches for Adobe, Apple, Android, and other products often are the best way to close the door on a new exploit or attack.  For instance, the Microsoft vulnerability that permitted the Wanna-Cry exploit to circle the globe in May had been patched by Microsoft in March.  Only those people and businesses that had not applied the patch were affected.

As it happens, most individual and consumer systems get patched automatically without a second thought.  But when it comes to businesses, most are using some sort of patch management system.  Patching is often delayed to allow for testing.    The reason for this is that many businesses use custom written line-of-business applications.  Some patches cause these products to fail, are never applied.  Often these applications run in place for years with receiving any security updates themselves.  Many times these legacy applications are running on servers with out-dated and unsupported operating systems.  Sometimes these applications are off-the-shelf business applications, but the company using the software has been unwilling or avoiding the expense of upgrading to the latest versions.

Decisions like these leave the company and it’s computer network vulnerable to attack and exploitation.  Many time these decisions are driven by financial considerations, but in reality you are trading the known cost of the upgrade to the unknown and sometimes significantly larger cost of a cybersecurity incident or breach.

If you are tasked with running the patch management system at your company or organization, take a look at the delays you are building into the patching process.  Are they really necessary? Could they be shorter?  Might you be applying them sooner?  Often a patch that created problems when released has either been rewritten, or the software vendor has updated their code to allow the security patch to be applied.

Then next time you have a vulnerability scan and assessment done, take a look at the unpatched vulnerabilities and decide which if these patches it is now safe to apply.  October is National Cybersecurity Awareness Month and this week Cybersecurity in the Workplace is Everyone’s Business.  So this is a great time to review this issue in your business.

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment