Basic cyber hygiene: The importance of patching

This blog is part of the Cybersecurity Tech Accord’s ongoing efforts to advance responsible cyber hygiene in accordance with our commitment to the principles of the Paris Call For Trust and Security in Cyberspace. 

In April, in response to the COVID-19 pandemic and our dramatically changing world, the Cybersecurity Tech Accord published a number of helpful resources from our signatories, as they related to our “new normal.” While many of us hoped that our lives would quickly resume, it’s clear that some changes will remain for months, if not years to come. One way we all had to adapt is to adopt technology for an increasing part of our lives, in particularly as many of us have shifted to working and studying from home. In light of this, the Cybersecurity Tech Accord’s focus on cyber hygiene has become even more important. Recently, we have shared information regarding the benefits of using a virtual private network (VPN), and how to protect yourself from password spray. Another relevant topic we’d like to discuss is the importance of patching.  

What is patching and why is it important? 

Patches are updates that your devices (including a smartphone, computer, smart TV, etc.) will ask you to deploy. Companies create patches for numerous different reasons, from solving a system issue to improving software efficiency or adding a feature update. However, the most significant update is undoubtedly the security patch, which mitigates a previously identified vulnerability that bad actors can leverage to gain unauthorized access to your device and personal data.  

Once a software vulnerability becomes known, nefarious actors race against the clock to reverse engineer patches and exploit them (at times in as little as a few hours) before users protect their devices by deploying the patch. Experts agree that patching is one of the most important things you can do to secure your technology, yet 102 days is the average time it takes to patch a flaw, and 57% of data breaches are attributed to poor patch management.   

How is this possible?  

On an individual level, there is little awareness of the importance of patching, and some hold unfounded fears that updates allow vendors to access your data and personal information.  

At a company level, patching sounds more straightforward than it is and requires organizations to consider several factors. First, deploying security updates entails an accurate inventory of the technology in use, which many businesses can’t account for. Similarly, companies continue to use old technology that is no longer compatible with the latest software updates, creating severe security holes within their business. Additionally, patching is resource-intensive and requires personnel with a deep understanding of the patch management process, including testing, as certain updates can impact other functions in unexpected ways. Many businesses fall short on one or several of the above points and leave their systems vulnerable to bad actors.  

How to master patching? 

To help solve this problem, the Cybersecurity Tech Accord signatories Cisco, Microsoft and Tenable are currently working with the National Cybersecurity Center of Excellence (NCCoE), a part of the U.S. National Institute of Standards and Technology (NIST) to build common enterprise patch management reference architectures and processes. The results will be publicly available in the NIST Special Publication 1800 practice guide. In the meantime, we suggest you implement the following steps:  

  1. Do an inventory of all your technical assets to ensure you know your risks.  
  1. Conduct a risk analysis of all your technical assets to help you with prioritization.  
  1. Monitor to ensure that you are aware of all available patches for your systems.  
  1. Determine the importance of each patch and deal with the most critical updates first.  
  1. Implement additional security controls to ensure that you are protected if you cannot deploy the patch immediately.  
  1. Test the patch to prevent any unexpected consequences.   
  1. Back up your production environment, just to be safe.  
  1. Deploy the patch, ideally staggering the scheduling of patches to reduce downtime.  
  1. Rinse and repeat!  

Of course, an additional problem is that not all vendors patch their systems, or even have a coordinated vulnerability disclosure policy in place that would help them to understand what challenges they are facing. This is increasingly and particularly true for the Internet of Things. But that is a problem for another time.  

To learn more about good cyberhygiene practices, visit the introduction to Domain-based Message Authentication, Reporting & Conformance (DMARC), Domain Name Security (DNS), and Mutually Agreed Norms for Routing Security (MANRS)