Poor Patch Management – A Cyber Security Risk

September 8, 2017 | Views: 6215

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

The effects of poor patch management were brought to the fore with the global ransomware attack that affected over 150 countries and scores of organizations in the second quarter of 2017. The ransomware exploited a vulnerability in windows operating system. In all fairness to Microsoft, the operating system OEM, a patch to address this vulnerability had been released in the 1st quarter of 2017 – March 2017 to be precise. However, most organizations were yet to patch their systems. This ultimately led to global spread and success of the ransomware attack.

One would have expected that the global attack would have created an awakening amongst organizations’ security experts and perhaps CEOs of top corporations to take the issue of patch management seriously; unfortunately, 6 months down the line so many organizations are yet to apply the affected patch.

While organizations may have some seemingly justifiable excuses for not patching their systems, a number of the other excuses are rather pedestrian considering the impact not patching systems could have on the organization if exploited.

Some of the seemingly justifiable excuses include:

  1. Testing of patch sets takes time hence the delay in applying the patches.
  2. The system is critical, we cannot afford a downtime and no redundancy for the system exists either.
  3. Operating System (OS) has reached its end of life, but the critical Application cannot function on a higher version of OS.

In accepting some of these seemingly justifiable excuses, organizations should take into consideration their risk appetite, criticality of IT assets and the existence of compensating controls amongst others; this will help them take adequate measures to address patch management risks.

The root cause of poor patch management in organizations have been traced to:

ü  Weak asset inventory management

ü  The absence of a patch management policy or procedure

ü  No adherence to documented patch management policies or procedures

ü  Unmonitored patch deployments

ü  Absence of dedicated IT resource to oversee patch management

To address a number of the risks posed by poor patch management, organizations should amongst others consider:

  • Documenting and implementing policies and procedures for patch management and ensure adherence to these policies and procedures.
  • Maintaining a comprehensive inventory of all IT asset (hardware and software). It will be difficult to protect what you do not know exists. A properly maintained inventory will ensure that you do not leave decommissioned systems unpatched on your network.
  • Where possible or applicable, automating and monitoring the patch deployment process.
  • Maintain a tests environment where patches are tested before deployment to production.
  • Periodically scanning their enterprise network with vulnerability assessment tools to identify missing patches peradventure there was a slip in the deployment process.
  • Management should make dedicated resources available for the timely testing and deployment of patches in the enterprise.

The threat posed by poor patch management to an organization’s cyber hygiene is real but avoidable or rather could be minimized.  Shipping Line – Maersk CEO was quoted as saying that the impact of the global ransomware attack could cost the organization between $200m – $300m; not all organizations can survive such losses.

While the recommendations above may not be an exhaustive list, organizations should take into consideration its risk appetite, criticality of assets and presence of compensating controls in the implementation of these recommendations.

Tony Ayaunor is an Information Systems Auditor and a Cyber Security enthusiast.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
5 Comments
  1. I quite agree Masod and Tony! Good insights. Please keep them coming

  2. Testing new patches on the environment needs more resources and time which is another reason why small organizations hesitate to do patch upgrades.

  3. Agreed. I would add poor IT governance as a contributing factor for running legacy applications or equipment that cannot function with a higher level of OS.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel