How to Avoid the Pitfalls of Poor Patch Management
Both Verizon and Symantec released their Internet security reports last week, and the news is sobering to say the least. More than 317 million new pieces of malware were created last year, meaning that nearly one million new threats were released each day.
Twenty-four of them were so-called “zero-day” exploits — attacks that take advantage of system or network vulnerabilities the same day those vulnerabilities are revealed. Perhaps the most famous was the Heartbleed bug, which involved a vulnerability in the OpenSSL encryption used by many websites. Cybercriminals were able to exploit Heartbleed within four hours after it was discovered by a member of Google’s security team.
But despite the increasing sophistication of many cyberattacks, most cybercriminals rely upon decades-old techniques exploiting vulnerabilities that have been open for years. Verizon’s report noted that 70 percent of cyberattacks use some combination of phishing and hacking, and many of the vulnerabilities exploited by hackers can be traced to 2007. These vulnerabilities remain open even though security patches are available to fix them.
Patch management is the process of repairing vulnerabilities in an organization’s IT infrastructure in order to maintain network security. Software fixes, or patches, are strategically deployed to applications, servers and other components of the IT infrastructure to help protect against cyberattacks.
Because patch management requires time, personnel and resources that most small to midsize businesses (SMBs) lack, security holes often go unplugged. Today’s increasingly complex networks have brought an increasing number of patches, which can be applied in different ways and should be prioritized based upon the potential impact on the organization. Patches also require comprehensive testing to ensure that they’ll actually work in your IT environment without causing system problems or hampering network performance.
For example, Microsoft is known for “Patch Tuesday,” its release of security patches on the second Tuesday of each month. Last week Microsoft issued 11 security bulletins addressing 26 vulnerabilities, four of which were marked as critical and one that covered a zero-day exploit. The pace of patch releases continues to increase — Microsoft issued a second round of 34 patches this week.
While consumers are accustomed to having these patches automatically installed on their PCs, IT managers have to approach patches with caution. Patches are often buggy or have installation problems. Needless to say, patch testing and management can be complicated in the data center.
Attempting to patch vulnerabilities on the fly is a recipe for disaster because it’s virtually impossible to keep up with the volume of patches. Patch management tools enable you to automate the process, but only after taking inventory of your software and configuring policies for patch deployment.
A better approach, especially for SMBs with limited in-house IT resources, is to outsource patch management to a managed services provider. A managed services provider will ensure that patches are prioritized, tested, scheduled and kept up to date. Your organization will be protected against threats that can result in costly downtime and data loss.
Don’t put patch management on the back burner. Let ICG help you develop a patch management strategy that keeps your organization protected.