Does Patch Management Really Matter?
How important is a reliable patch management strategy? The Equifax breach of 2017 illustrates how dangerous it can be to avoid the question.
How Important is Patch Management?
Anyone wondering about the necessity of patch management best practices might want to ask someone at Equifax how critical it can be.
There are arguably no more pointed or higher-profile examples of the worst-case consequences arising from lax platform patching habits than the 2017 Equifax breach. And as tough an act to follow as exposing the sensitive information of about 148 million Americans might be, it’s dangerous to believe the sort of malicious actors responsible for hacking the credit bureau don’t plan to match or exceed that incident’s degree of damage.
Promptly applied security patches can be a matter of life and death for your data and your customers.
The Urgency of Patch Management
Applying patches in a timely manner is common sense. Ideally, they should be applied as soon as they become available. The Equifax breach illustrates how dangerous it can be for any organization to sit on its hands and not correct obvious issues affecting the software it’s using.
Apache Struts, which carried the flaw eventually leading to the hack, is Java-based. Its security problems were known well before the incident. Oracle announced the Struts vulnerability on March 7, 2017, and the Department of Homeland Security’s U.S. Computer Emergency Readiness Team alerted Equifax a day later.
The US-CERT even told the financial services firm (and Big Three credit bureau) that other corporations had already borne the brunt of cyberattacks made possible by the Struts glitch. Equifax didn’t apply the patch on a broad enough scale, the breach occurred in July of that year, and the rest is history.
Who Holds the Most Responsibility?
There’s no simple answer to this question, but certain details of the Equifax breach and its aftermath point toward the truth.
Software, app and code developers catch a great deal of flak when their products fail. Oracle, which has held the mantle of Java stewardship since its 2008 acquisition of Sun Microsystems, took a reasonable share of criticism from that date forward for Java’s issues, according to TechTarget.
Much of the anger over the 2017 breach ultimately went in Equifax’s direction rather than Oracle’s despite the latter bearing systemic responsibility. The credit bureau’s mistakes even became the subject of an inquiry by the U.S. Congress, which sharply rebuked the failures of leadership to ensure patch management across the organization.
After the congressional report, former Equifax CEO Richard Smith (who was purged post-breach along with the company’s CIO and CISO), the disgraced executive blamed an unnamed IT staffer for not communicating the urgency of manual patch application in certain legacy operating systems.
What does this all add up to? While Oracle and other developers are responsible for releasing patches to vulnerable software, the organizations using it must pay close attention to security updates and ensure they’re applied as soon as possible.
Fundamentals of Effective Patch Management
It’s debatable whether or not there can be any one-size-fits-all patch management strategy to establish definitive security control over your organization’s various operating systems and applications. But there are certain practices that most would agree upon.
- For one, as illustrated in Michael Hoehl’s SANS Institute paper on patch management, the process should have a distinct lifecycle. Once a program’s vulnerability becomes known, customers should review the threat, determine if it will affect their operations, patch assets that are most vulnerable, test the update’s viability, verify patch placement, and repeat the process as needed.
- It may also be beneficial to establish a dedicated team within IT to closely handle patch management.
- Applied alongside automated patch rollout and a clear policy incorporated into an organization’s handbook, the team (sometimes called a patch vulnerability group) can help ensure all bases are covered.
Then there’s one critical element that’s sometimes forgotten: comprehensive device oversight. For example, device scans checking for vulnerabilities (or successful patch application) must run while all relevant devices are online. Trying to do this across multiple different platforms may be ineffective.
How Syxsense Can Help
Syxsense unites the patch management process under one web console, instantly providing a real-time window into the security of thousands of devices throughout your organization.
Coupled with additional IT management functions appropriate for Microsoft, Linux, Adobe, Java and Chrome, the platform allows you to promptly apply essential patches and greatly mitigate the risks posed by application flaws.
Experience the Power of Syxsense
Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.