This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Blogs » Security Blog » Is Patching a Double-Edged Sword?

Mark Kedgley is Chief Technical Officer at New Net Technologies (NNT) where he is responsible for driving ongoing product development; his primary objective being to continually push NNT’s data security and compliance solutions to protect their customers’ sensitive data against security threats and network breaches in the most efficient and cost effective manner, whilst being easier to use than anything else out there in the market.

Mark has been CTO at NNT since 2009, and has over 20 years’ experience in IT business development and sales. Mark combines a visionary yet pragmatic approach to IT: combining not just the ability to analyze business issues and scope technological solutions to address needs, but to also deliver product that is both fit-for-purpose and future-proof.

https://uk.linkedin.com/in/markkedgley

https://twitter.com/Change_Tracker

Cyber Security News

Is Patching a Double-Edged Sword?

patching-cyberenews
August 2, 2018
Mark Kedgley
KEYWORDS cyber risk management / data breach / endpoint security / patch management / ransomware
Reprints

Sometimes you can’t win. Patching, and the right time and process for doing so, is very much a case in point.

Patching used to need more planning and manual intervention, but as internet access has improved, many manufacturers now provide built-in Updater Services. Microsoft have taken this further, resorting to patch-guerilla tactics: Ambush Updates. They know what’s best for you, and if you won’t restart your PC then they will. Usually this will always be when it’s least convenient for you, such is Murphy’s Law.

It leaves many simply shrugging their shoulders and letting nature take its course. Better to let systems self-update, then clear up the mess if and when problems arise. It’s a simple risk/benefit assessment and much like attitudes to security breaches, if you’ve been lucky enough to avoid the expense and hassle so far, you probably assume it will never happen.

For the software producer, the chief concern is with making sure products are secure. The convenience for the user and any consideration for the impact on other software is secondary. That’s not to say a manufacturer won’t test their updates before releasing them, but guaranteeing success for everyone across an endless variety of unique IT environments is impossible.

At one end of the spectrum, anti-virus systems must update on-demand to maintain protection. Similarly, browsers and email clients – overwhelmingly the “front door” for malware attacks – will also need regular, time-critical updates. Then there are aligned technologies, such as Java and Adobe, equally super-common mediums for attacks and always in need of patches. The most recent Verizon Breach Report records Java as the most common first-stage malware vector.

Even at this level there should be a consideration towards software inter-dependencies, but moving up the software-scale in terms of complexity, towards operating systems and databases, patching becomes much more risky. How much can you rely on siloed manufacturers to guarantee full-compatibility for your “mission-critical” applications?

Case Study: One banking client of ours has concluded that safety-first patching for them means “Don’t patch.” They run an important application on RHEL 5, even though the platform was retired last year. Chances are the application could work, or be made to work, on the more secure and better performing RHEL 7, but nobody wants to roll the dice.

And with good reason. Just recently according to Computerworld, Windows 10 patches have introduced problems with RDP operation (CredSSP) and disastrously affected various SSD drives, while for Windows 7, patches mistakenly removed support for certain network interface cards.

So patching still carries risk, just that for most, the potential operational problems are outweighed by the security jeopardy. Everyone knows about WannaCry and its rapid worldwide proliferation, exploiting the Eternal Blue SMB vulnerability. It’s a stark example of why patches should be applied without delay. Updates to remediate the vulnerability had been available for weeks, but for many, the opportunity was missed.

But there are other good reasons to delay patching, also in the interests of security. A pre-rollout test will save hassle in the long run and is a standard practice for many. By deploying updates to isolated test systems first, or to your most tolerant, IT-savvy users (a.k.a. Lab Rats), you can head-off problems before rolling out patches to all devices. For the sake of a brief hiatus, you strike a good balance between functional and security risks.

And what are the Security Best Practice recommendations for patching? Security control frameworks, such as the CIS Controls, are based on decades of thinking by the best brains in cybersecurity, and we should take these into account. Even though a Change Management process isn’t as much fun as installing a new security gadget, it can be just as valuable for keeping you safe. By embracing the concept of Change Control, you specify when changes are going to be made and, more valuably, you know when changes shouldn’t be seen. The upside? Unplanned changes –  including breach activity – are highlighted and isolated from intentional, approved changes.

Contemporary system/file integrity monitoring technology can be automated to intelligently identify patterns of changes, classified as “known safe.” When integrated with your ITSM platform, this means change control needn’t be a dreary bureaucratic burden of change approvals and forward planning. Taking things further, you can also leverage “second opinion” sources of threat intelligence, such as file whitelists, to automatically analyze and approve change activity. It means you can operate with the flexibility to make changes when needed, and still benefit from change control. A win-win, at last.

Blog Topics

Security Blog

On the Track of OSAC

Recent Comments

I just wish my mechanical lock had a...

It's a shame events such as these continue...

security

Security

Unauthorized breaches could pose some serious security risks...

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Mark Kedgley is Chief Technical Officer at New Net Technologies (NNT) where he is responsible for driving ongoing product development; his primary objective being to continually push NNT’s data security and compliance solutions to protect their customers’ sensitive data against security threats and network breaches in the most efficient and cost effective manner, whilst being easier to use than anything else out there in the market.

Mark has been CTO at NNT since 2009, and has over 20 years’ experience in IT business development and sales. Mark combines a visionary yet pragmatic approach to IT: combining not just the ability to analyze business issues and scope technological solutions to address needs, but to also deliver product that is both fit-for-purpose and future-proof.

https://uk.linkedin.com/in/markkedgley

https://twitter.com/Change_Tracker

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

Globe

Which Countries Have the Worst and Best Cybersecurity?

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

password1-900px.jpg

New Vulnerabilities Found in Top Password Managers

password1-900px.jpg

How Americans Leave their Personal Info Open to Thieves

20180226SEC_DataminrFeb_360x184customcontent

Events

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
March 7, 2019

Finding Your Physical Security Blind Spots with Artificial Intelligence (A.I.)

Security infrastructures are undergoing a digital transformation with growing adoption of intelligent access control, video surveillance and analytics as well as IoT devices and sensors – generating more data to than ever before. Harnessed properly with artificial intelligence and a risk-based model, this data can be exposed and leveraged to improve life safety, minimize risk and increase operational efficiency.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing