Poor Patch Management - A Cyber Security Risk
The effects of poor patch management were brought to the fore with the global ransomware attack that affected over 150 countries and scores of organizations in the second quarter of 2017. The ransomware exploited a vulnerability in windows operating system. In all fairness to Microsoft, the operating system OEM, a patch to address this vulnerability had been released in the 1st quarter of 2017 - March 2017 to be precise. However, most organizations were yet to patch their systems. This ultimately led to global spread and success of the ransomware attack.One would have expected that the global attack would have created an awakening amongst organizations' security experts and perhaps CEOs of top corporations to take the issue of patch management seriously; unfortunately, 6 months down the line so many organizations are yet to apply the affected patch.While organizations may have some seemingly justifiable excuses for not patching their systems, a number of the other excuses are rather pedestrian considering the impact not patching systems could have on the organization if exploited.Some of the seemingly justifiable excuses include:
- Testing of patch sets takes time hence the delay in applying the patches.
- The system is critical, we cannot afford a downtime and no redundancy for the system exists either.
- Operating System (OS) has reached its end of life, but the critical Application cannot function on a higher version of OS.
ü Weak asset inventory management
ü The absence of a patch management policy or procedure
ü No adherence to documented patch management policies or procedures
ü Unmonitored patch deployments
ü Absence of dedicated IT resource to oversee patch managementTo address a number of the risks posed by poor patch management, organizations should amongst others consider:
- Documenting and implementing policies and procedures for patch management and ensure adherence to these policies and procedures.
- Maintaining a comprehensive inventory of all IT asset (hardware and software). It will be difficult to protect what you do not know exists. A properly maintained inventory will ensure that you do not leave decommissioned systems unpatched on your network.
- Where possible or applicable, automating and monitoring the patch deployment process.
- Maintain a tests environment where patches are tested before deployment to production.
- Periodically scanning their enterprise network with vulnerability assessment tools to identify missing patches peradventure there was a slip in the deployment process.
- Management should make dedicated resources available for the timely testing and deployment of patches in the enterprise.