Your systems are updating… and new patches are being installed. In theory, your security is being updated to optimum performance levels – or is it?
In our work as cyber security advisors (including as accredited Cyber Essentials (CE) and Cyber Essentials Plus (CE+) assessors) , we carry out a range of technical tests to determine if clients’ systems are adequate to protect them from the vast majority of low level cyber threats. One of these tests covers patch management – a patch being a piece of software designed to update a computer program or its supporting data.
Although meant to fix security vulnerabilities and other bugs, patching can sometimes introduce new problems or, in worst case scenarios, server failure. Whether you are a large organisation or a small or medium enterprise (SME), this can be damaging. So, to help you do what you can to prevent patching problems, we share some of our experiences and offer some prevention tips.
Situations when patching didn’t work
Assuming patching has taken place. Microsoft’s System Centre Configuration Manager (SCCM) enables administrators to manage the deployment and security of devices and applications across an enterprise. We’ve seen instances where SCCM reports over 99% patch success but many machines are missing patches.
If Windows Server Update Services (WSUS) is set to automatic, patching may not happen – this may be due to not adding all products to WSUS. For example, if you update to Windows 10 and don’t select Windows 10 in WSUS the computers will say ‘no updates available’ for all Windows 10 computers.
Not applying additional configuration steps for Windows patches. Microsoft sometimes release security patches with additional steps which normally include adding a registry key – but there is no notification unless you read the accompanying knowledge base article. So, the patch gets missed until you run a vulnerability scan. We’ve spotted this on almost all the CE+ assessments we’ve done.
Using third-party patch tools. Third-party patch tools may only patch systems that are connected when the patch is deployed. If a machine is turned off or out of the office, it doesn’t receive the patch unless it’s manually deployed again by the IT team when the machine is connected – so you mistakenly think you’ve been updated. This is why third – party applications are easy targets for cyber criminals.
To illustrate this, third-party software such as Adobe Reader and Java are often not being patched. Without third-party software to do this, you need to manually package the updates for WSUS or have your IT team install them on every computer – both time-consuming options. Alternatively, you can give the users local administration rights to install themselves, which is not recommended and relies on the user to manage updates.
Setting all computers to get updates from the internet – rather than using WSUS. Updating all computers from the internet individually can cause the internet to be really slow as they all download the same updates. Depending on the internet speed and number of computers, updating from the internet may be acceptable – but it’s hard to monitor to ensure patches have been applied.
Running vulnerability assessments with incorrect settings. A vulnerability assessment is designed to find deficiencies in your network, which could be missing patches or have an incorrect configuration. Get the settings wrong and everything may look fine – but won’t be.
Specific patching advice for SMEs
While many large organisations have patching down to a fine art, SMEs may struggle to know the best approach. We recommend:
Use automated patching software. In our own business, we use software which automatically downloads the latest third-party patches and installs them automatically without the user needing local administration rights. It can also download and deploy Windows updates.
Regularly (monthly) check WSUS and other patch software. By checking the status, you’ll find machines that are not patching. CE says high-risk and critical security patches should be installed within 14 days. Governance is required to ensure checks are carried out.
Regularly (monthly) check for updates for other software and devices that don’t support automatic patching. Compile a spreadsheet with a list of all software and devices and check if there are any new patches (this should take about an hour a month).
Regularly (quarterly) run internal vulnerability assessments. This will help identify other issues or missed additional configuration.
Conduct an annual independent vulnerability assessment. For example, CE+ includes tests for patch management.
We have come across people not installing patches because they’re concerned something will break. Microsoft’s best practice is “The risk of implementing the service pack, hotfix and security patch should ALWAYS be LESS than the risk of not implementing it.”
As an example we patch computers automatically every day. In two years there have only been two incidents when software stopped working correctly – both of which involved Microsoft Office. In both cases the patch was removed which fixed the issue until Microsoft released an updated patch.
This article has demonstrated how easy it is to think patching has taken place – leaving your networks potentially at risk of security threats. Successful installation of updates and patches is critical to provide the protection your business needs. Incidents will always arise but the more you are ready to respond, the greater your ability to limit damage.
What’s more, the tests involved in CE+ will cover patching – therefore identifying shortfalls and providing remedial recommendations.
More on Cyber Essentials
We’ve referred to the two levels at which businesses can become certified: Cyber Essentials (CE) and Cyber Essentials Plus (CE+). Please download our Guide to Cyber Essentials for full details of each.
For further information
If you’d like to discuss how our consultants can advise on any aspect of Information Assurance and cyber security, please contact Dave James, MD at Ascentor.
Email: [email protected]
Office: 01452 881712