Poor Patch Management - A Cyber Security Risk

The effects of poor patch management were brought to the fore with the global ransomware attack that affected over 150 countries and scores of organizations in the second quarter of 2017. The ransomware exploited a vulnerability in windows operating system. In all fairness to Microsoft, the operating system OEM, a patch to address this vulnerability had been released in the 1st quarter of 2017 - March 2017 to be precise. However, most organizations were yet to patch their systems. This ultimately led to global spread and success of the ransomware attack.

One would have expected that the global attack would have created an awakening amongst organizations' security experts and perhaps CEOs of top corporations to take the issue of patch management seriously; unfortunately, 6 months down the line so many organizations are yet to apply the affected patch.While organizations may have some seemingly justifiable excuses for not patching their systems, a number of the other excuses are rather pedestrian considering the impact not patching systems could have on the organization if exploited.Some of the seemingly justifiable excuses include:

1. Testing of patch sets takes time hence the delay in applying the patches.
2. The system is critical, we cannot afford a downtime and no redundancy for the system exists either.
3. Operating System (OS) has reached its end of life, but the critical Application cannot function on a higher version of OS.

In accepting some of these seemingly justifiable excuses, organizations should take into consideration their risk appetite, criticality of IT assets and the existence of compensating controls amongst others; this will help them take adequate measures to address patch management risks.The root cause of poor patch management in organizations have been traced to:

ü  Weak asset inventory management

ü  The absence of a patch management policy or procedure

ü  No adherence to documented patch management policies or procedures

ü  Unmonitored patch deployments

ü  Absence of dedicated IT resource to oversee patch management

To address a number of the risks posed by poor patch management, organizations should amongst others consider:

• Documenting and implementing policies and procedures for patch management and ensure adherence to these policies and procedures.
• Maintaining a comprehensive inventory of all IT asset (hardware and software). It will be difficult to protect what you do not know exists. A properly maintained inventory will ensure that you do not leave decommissioned systems unpatched on your network.
• Where possible or applicable, automating and monitoring the patch deployment process.
• Maintain a tests environment where patches are tested before deployment to production.
• Periodically scanning their enterprise network with vulnerability assessment tools to identify missing patches peradventure there was a slip in the deployment process.
• Management should make dedicated resources available for the timely testing and deployment of patches in the enterprise.

The threat posed by poor patch management to an organization's cyber hygiene is real but avoidable or rather could be minimized.  Shipping Line - Maersk CEO was quoted as saying that the impact of the global ransomware attack could cost the organization between $200m - $300m; not all organizations can survive such losses.While the recommendations above may not be an exhaustive list, organizations should take into consideration its risk appetite, criticality of assets and presence of compensating controls in the implementation of these recommendations.Tony Ayaunor is an Information Systems Auditor and a Cyber Security enthusiast.