Just do your patching!

23 September 2020

If your security is exciting, then you've got a problem. Because really, information security is boring. Sure, you should be investing in advanced security like IDS and managed SOC services that give you deep insight into what's going on, but if you don't get the basic hygiene components right, you'll be leaving yourself open to anyone who comes sniffing. 

Take patching for example. Patching really is a dull task. No-one actually wants to do patching. What should be easy - update an OS or piece of software to the latest version - inevitably becomes an administrative nightmare as you struggle to apply the patch, install it, reinstall it after it fails, fix up all the things it broke, and then try to find a time to schedule a reboot of that critical server after the dreaded "a reboot is required - do you want to restart now" message pops up. Not surprisingly, we come across many companies whose patching regime is out of control, with sometimes tens of thousands of vulnerabilities across a couple of hundred servers and patches dating back years that have been missed or failed to install.

And yet keeping your security updates and patches current is one of the most fundamental security controls. Pretty much every security standard or critical controls list has patching in the top 5 things to do. Recently, the US Department of Homeland Security considered a Windows update to be so essential, they issued an emergency directive to force all civilian federal agencies to install it. Why? Because if they didn't they were exposed to a flaw that could allow attackers that have a foothold on an internal network to hijack Windows domain controllers and effectively take over the entire network. The solution - apply a patch. Simple.

The reality though, is that in life, and often complex environments, applying patches and updates is often far from simple. So here are a few pointers to help you manage your patch regimes effectively:

  • Use auto-updates on end-user machines wherever possible, and educate your people as to why it's important to reboot when prompted. If you can use forced reboots, do. And beware the Windows fast-start issue - if you have this function enabled (and most people do), shutting down and then re-powering the machine won't apply installed patches. You have to do an actual ‘restart' to do this.

  • Run a regular server maintenance window (e.g. the third weekend of every month) so your organisation knows there'll be a specific time when services may be interrupted due to patching. This helps to minimise complaints and also raises awareness of what you're doing to keep your organisation more secure. If possible, schedule the maintenance weekend after, but close to your main software vendor's regular update release date (e.g. Microsoft's Patch Tuesday)

  • Use SaaS applications wherever it makes sense to do so. This takes the maintenance responsibility away from you as keeping SaaS applications up to date is the responsibility of the vendor.

  • Ensure you have some kind of process in place to check that the updates have been successful - too many people just assume that patches are being applied and don't do anything to check.

  • Use a vulnerability scanning tool to identify vulnerabilities and help you prioritise your patching. Tools such as Tenable.io supplement the usual CVE scores with priority tagging based on whether vulnerabilities are being actively exploited 'in the wild'. These should be your top priorities, especially for critical or internet-facing services. A vulnerability scanning tool will also help to provide assurance around your patching process - identifying where updates have been missed or haven't completed successfully.

  • Manage your patching centrally through an automated tool, such as Automox. These tools automate the patching process and allow you to set central policies around when and what to update, and whether to force restarts. A central management dashboard provides a clear view of the current state across your fleet so you have full visibility. Choose a tool that aligns with the rest of your security toolset - vulnerability scanning, patch management and EDR for instance all complement each other and help to provide a holistic endpoint security solution.

  • If you have a legacy system that you simply can't update for fear of breaking it, because a newer version doesn't exist, or because it's out of support (I'm looking at you, Windows XP), then ring-fence it and put other protections in place. Making sure such systems aren't internet-facing, and hardening the servers by removing any applications that aren't essential to the system (browsers, email clients, Java, Adobe etc.) will help to mitigate any risk by reducing the number of vulnerabilities that could be exploited.

At The Instillery we have deep expertise in these tools and methodologies, so if you want more information around how you can build an effective, pain-free patching process (and free up time for more interesting things), get in touch.