Author: Thorsten Kuhles
Patching operating systems and software on private and company-owned computers and servers makes a significant contribution to IT security. In this article we look at why updates must be an integral part of today’s IT.
The “Never touch a running system” mindset is obsolete when it comes to security. Security vulnerabilities are not only being uncovered at ever shorter intervals – they are also being exploited in an increasingly automated manner. Malware scans its environment and often exploits existing gaps without the manual intervention of a cybercriminal. The critical security gaps can only be closed in a timely manner through planned and above all automated “patching”.
Patching that is coordinated and organized
Most common areas that need patching include operating systems, applications, and embedded systems (such as network devices). Due to the variety and complexity of the different areas and applications, the planned and automated system update is almost unavoidable. On top manufacturers do not release their security updates in a coordinated manner. They all have their own “patch days”. Keeping track of this would be a more than day-filling task for manual system maintenance. Of course, there will always be systems or system areas that cannot be subjected to this automated process because the technical feasibility is not given. But you can find out by planning in patch management and act accordingly.
In addition to the elimination of vulnerabilities through the patch, the introduction of patch management improves the availability of systems, the functionality of operating systems and other software, but also ensures compliance with legal requirements imposed on companies as well as authorities.
Patch Management vs. Vulnerability Management
Patch management is an essential part of any vulnerability management solution. The terms “patch management” and “vulnerability management” are sometimes used interchangeably, though it is important to know the difference. Vulnerability management is the process of detecting, assessing, addressing and reporting vulnerabilities in systems and the software running on those systems.
Patch management, on the other hand, is the process of keeping the operating system and software versions up-to-date and manageable. Although both strategies aim to mitigate risk, patch management has its limitations and should be seen more as a “supportive” element. This results in three strands of action that may have to be evaluated and documented on a case-by-case basis:
- If technically feasible, the patch for a detected vulnerability will be installed to fix the problem.
- In the event of technical and/or approval problems, compensatory measures are necessary, which are implemented by means of a “workaround”. This is common practice when an adequate patch is not yet available to allow time for final problem solving
- Accept the risk/residual risk of this vulnerability and document this decision in the relevant security concepts in order to be able to understand it during audits or incidents and thus obtain initial indications for in-depth investigations.
Detecting attacks earlier
The speed at which potential attackers are able to discover security vulnerabilities in common software solutions and use them for their own purposes is constantly increasing. However, this also means that the rollout of patches in a company must be faster and smoother. On average, companies today need about 100 to 120 days to roll out new patches. Conversely, the attackers are about five times as fast!
On average, they only need about 22 days to discover new security vulnerabilities and thus become a threat to companies. This closes the circle to our article on early detection in companies through e.g. Security Operation Centers (SOC). Here, too, the interface between monitoring by the SOC and IT operations is clearly visible.
Conclusion
The speed of the race between manufacturers of software, firmware, operating systems on the one hand and hackers on the other is constantly increasing. The development of vulnerability-free software is a long time coming, and unfortunately gives attackers the opportunity to be one step faster than the users on the bright side of the Force.
Therefore, it is all the more important to use the available means – for example in the form of a provided patch. Systems must be maintained in order to meet standards and to offer required functions for users. The problems identified can only be tackled jointly by manufacturers, companies and users. Here, too, the following applies: “The first line of defense is YOU”.
