Are Patch Management Failures Putting Your Company At Risk?

by Hannah Grace Holladay / September 6th, 2022

Regular software updates and rigorous patch management processes are essential to maintaining security and compliance. Even the most careful proprietary and open source software development introduces bugs. Some of those bugs create security vulnerabilities, and cybercriminals are always looking for opportunities to infiltrate business IT resources and steal sensitive data. 

A report from Arctic Wolf, a security operations vendor, shows the scale of the problem. Exposure of a known vulnerability to external networks caused 82% of the security incidents the company handled in the first quarter of 2022. Of those incidents, 57% could have been avoided by software patching. The remainder were caused by exposing vulnerable services to the public internet. 

A systematic, scheduled, and comprehensive patch management policy is the only way businesses can hope to manage the risk at scale. 

What is Patch Management?

Patch management encompasses a range of processes that ensure potentially vulnerable software is updated as soon as a fix is available. The term “patch” comes from the development world, where a patch is a file containing a set of changes to a piece of software. Patches add and remove features and refactor code. But, most importantly, they fix known vulnerabilities.

We all regularly patch (update) software on our devices with the click of a button. However, patching is much more challenging for complex business IT systems. Most of us don’t mind rebooting our smartphone when it updates, but a business can’t simply shut down its network. It can’t apply patches that haven’t been tested in case they break essential services. And, quite often, it doesn’t know which software needs patching in the first place. 

Software patch management is intended to overcome these problems. It typically involves a number of processes, including:

• Software discovery: Businesses should develop an inventory of all operating systems and software on their network. They can’t update software if they don’t know about it.
• Standardization: Patch management is less challenging if businesses standardize on particular operating systems and software products.
• Vulnerability monitoring: IT and security professionals should track vulnerability reports for software the business uses.
• Development tracking: They should also keep abreast of patch releases so they can quickly apply patches.
• Risk assessment: Assessing vulnerability risk helps businesses to prioritize critical vulnerabilities and patches for core systems.
• Testing: Modifying software has the potential to change its functionality and cause performance regressions. Testing allows businesses to identify issues before they impact production systems.
• Patching: The patches are applied to production systems, often beginning with a subset to verify there are no unexpected results.
• Monitoring: Ensure that all IT resources perform as expected after the update.

As you can see, patch management is not straightforward. However, many aspects can be automated by patch management software, as we’ll see later in this article.

Patch Management and Compliance

Compliance and audit failures may occur when businesses:

1. Fail to patch vulnerabilities promptly.
2. Implement inadequate patch management processes.

As we’ve seen, exposing software with known vulnerabilities to the public internet is a common cause of network infiltration and data theft. That reality is reflected in information security and privacy regulations and standards. 

• PCI DSS: PCI Requirement 6.1 states that businesses should establish a process to identify security vulnerabilities. PCI Requirement 6.2 states that businesses should ensure all systems and software are protected from known vulnerabilities.
• HIPAA: 45 CFR § 164.308(1)(i) states that businesses should implement policies and procedures to prevent, detect, contain, and correct security violations.
• ISO 27001: Control A.12.6.1 focuses on technical vulnerability management and states that vulnerabilities should be quickly identified, subject to a risk assessment, and remediated through proper measures, which include asset patching.

Other information security frameworks and standards include similar requirements which assert or imply the necessity of a robust and effective patch management process. 

How to Monitor Critical Security Vulnerabilities

Businesses must be aware of software vulnerabilities before they can fix them. To do so, it is necessary to:

1. Understand which software your business operates.
2. Monitor sources of vulnerability information for relevant announcements.
3. Assess the level of risk a vulnerability poses.

There is no canonical source for vulnerability data, and it is often best to monitor vulnerability and update information published by software vendors and open source projects. You should also monitor public vulnerability databases, which include:

• The National Vulnerability Database, which the U.S. government publishes.
• Common Vulnerabilities and Exposures.
• GitHub’s security vulnerability database.
• CVE Details.

These databases allow users to search for vulnerabilities in specific software and software created by specific vendors. 

Patch Management Software

Patch management software automates some of the processes outlined above, allowing businesses to reduce the cost and complexity of keeping their software safe and up-to-date. There are many competing patch management software solutions with varying features. Businesses should take the time to investigate the capabilities of each to find the best solution for their unique circumstances, but we’d like to highlight three prominent solutions. 

AWS Systems Patch Manager

AWS Systems Patch Manager is a capability of AWS Systems Manager, which integrates many system automation tools. It can automate patching on managed AWS nodes, including operating system and application patching. Usefully, Patch Manager integrates with System Manager’s maintenance window functionality, so patching can be scheduled to run at convenient times. 

Azure Automation Update Management

Azure Automation offers a range of automation tools for Microsoft’s Azure cloud platform. The Update Management tool can automatically perform updates for Windows and Linux operating systems on Azure or on-premises. 

Red Hat Satellite

Red Hat Satellite is a comprehensive infrastructure management tool with automatic patch management functionality. Satellite can report which servers need to be updated and automatically apply updates as required. 

Other patch management tools include Solarwinds Patch Manager, LANDesk Patch Manager, ManageEngine Patch Manager Plus, and Ivanti Patch Manager.

3 Critical Vulnerabilities You Should Patch Immediately

Failure to patch is the root cause of many of the most serious security incidents. A vulnerability in widely used software can have a catastrophic impact on thousands of businesses. To conclude this article, we will look at three critical and widespread vulnerabilities, all of which continue to be exploited by cybercriminals, despite the availability of patches that would protect businesses and their customers.

Log4J

Log4J is a logging library for the Java ecosystem. It is integrated into hundreds of thousands of servers and applications and is particularly popular in the enterprise space. In 2021, a critical remote code execution vulnerability was discovered. Log4Shell allows malicious third parties to execute arbitrary code and has been described as “the biggest, most critical vulnerability of the last decade.”

A patch was released to fix the vulnerability immediately after it was discovered, yet many servers and applications remain vulnerable. 

ProxyShell

ProxyShell is an attack that relies on a series of vulnerabilities affecting Microsoft Exchange. An attacker can string the vulnerabilities together to achieve remote code execution via a PowerShell instance available from the web. ProxyShell is relatively straightforward to exploit, requiring only a specially crafted email containing code that the attacker can trick the server into executing. 

Microsoft released patches that mitigate the risk in May and July 2021.

SpringShell

Spring is an enormously popular web framework for Java. Earlier this year, a remote code execution vulnerability was discovered. Although not considered as severe as the Log4J vulnerability because it is more challenging to implement, cybercriminals quickly began to exploit SpringShell to gain access to servers running the Spring framework. 

A patch to mitigate the vulnerability was released immediately, and businesses using the Spring Framework should update to a recent version as soon as possible.

Enterprise Security and Compliance with KirkpatrickPrice

KirkpatrickPrice provides services to help businesses secure their infrastructure and comply with regulatory frameworks and standards, including compliance audits, penetration testing, and remote access security testing.