The problem with patching is – not patching
Patching is not something that the IT department really enjoys doing. It is complicated and ongoing. It takes forever and it doesn’t add any actual business value.
Meanwhile you have myriad systems to patch, and endless patches to test and then install. Then you have to do it all over again. And again. And again.
No wonder a recent study by the UK-based Federation of Small Business shows that little more than a third (36%) of small shops patch regularly. Then these shops wonder why they got compromised, or blame their software vendors, especially Microsoft® – a common security punching bag!
Patching, well, patching properly, solves the majority of security problems. In fact 90% of successful exploits are against unpatched systems.
Even environments that should presumably be highly secure too often fail to patch. Last year an audit at the U.S. Department of Energy found that some 60% of their desktops lacked important patches.
Unpatched systems are so vulnerable because most hackers are lazy. Script kiddies are one the laziest – they take existing exploits and maybe tweak a few lines and release it as their own creation. And because the script worked before, chances are it will again. Most tech savvy people these days can become successful hackers if proper defenses – like patching – aren’t mounted.
Patches offer another shortcut, and a main artery right into the heart of your computers. There are two ways this works. The worst is when some security researcher looking for a headline finds and then blabs about an exploit that the software maker is then forced to quickly patch. This is an alarm for hackers to devise and mount attacks against this vulnerability.
The second is a patch that is released to fix a hole that only the vendor really knows about.
Either way the patch defines the hole and acts as a blueprint for a hack attack. Even though the hole is presumably fixed by the patch, it is only fixed for those that install the patch.
Unfortunately many never patch (that crazy 36% again) and even those that do don’t always fix holes immediately due to time constraints and the need to test patches for conflicts.
Patching Microsoft Isn’t Enough
Microsoft, for all the knocks it takes, is pretty darn good at handling patches, and actually a bit of a role model. The company is open about its problems, and the second Tuesday of every month, Patch Tuesday, publicly releases its fixes. It even gives a heads up as to what’s coming.
And it has a decent free tool, Window Server Update Services (WSUS), to install these patches – think of this as Windows Update on steroids. That’s why Microsoft patches are the most commonly and regularly installed.
But when was the last time you came across an all Microsoft shop? These days FireFox, Adobe Web tools, and even Oracle® all have more patches than a pair of old hippy pants. In June alone Oracle released fixes for 40 holes in Java. And most of these holes allow attacks that bypass user names and passwords. In April Oracle fixed 128 holes in its applications, middleware and database. Still think Microsoft is all you have to worry about?
Gartner is all worked up about this problem:
“In the darkest woods of IT, patching 3rd party application on a desktop remains a significant challenge for many organizations. Patching server OSs (Windows and Linux/UNIX) and 3rd party server applications also remains challenging due to fragility of many server environments. Add virtualization to the mix – and you have a full-blown slow-cooking disaster. And then you have Java…a security disaster in a league of its own,” wrote Gartner analyst Anton Chuvakin in a recent blog. “Java, Adobe Reader and Flash, Firefox, Oracle fat clients as well as many vertical and business-specific applications are often patched MUCH later than Windows and Office.”
BYOD only makes this all worse. These days you have to patch anything and everything. And fix these holes before the hackers jump in!
If patches are the hackers’ best roadmap, shouldn’t patching be a top priority?
WSUS is not enough. You need a broader tool that embraces multiple platforms and automates as much as possible patch testing and deployment.
With today’s world of distributed enterprises, mobile workers, BYOD and telecommuting you need to keep remote off network machines patched. You simply can’t have IT travel to update all these devices or ask end users to patch the machines themselves. Here a cloud patch management tool is the perfect answer.