What is Security Patching?
Modern software is an extremely complex system of instructions to undertake specific tasks. Much like any technology, software is developed and adapted from what has gone before. Sometimes, there are flaws ('bugs') in the logic that mean new software does not work entirely as intended.
Some bugs can be difficult to detect during testing and survive into production, causing the software products to malfunction or fail. Therefore, software vendors operate a team to provide fixes ('patches') for bugs as they are reported. Applying such fixes is referred to as 'patching'. If the bug means the software is not properly secure and can be exploited, the fix is termed a 'security patch'.
Why is Security Patching Important?
Secure software is vital for maintaining the privacy of data and integrity of control of computer systems. A security vulnerability essentially allows an individual or group to obtain unauthorised access to some part of a computer. This leaves personal or business information vulnerable and can also enable attackers to take control of the computer systems.
Are Security Patches for Operating Systems Necessary?
Operating systems are the software packages that make a computer work. They interact with all the physical components of a computer system and all the running applications, allowing an individual to use the computer. So, prompt patching of operating systems is critical.
What are the Security Benefits of Patching?
Control system security is fundamental to allow the individual ('user') to undertake tasks for which they have authority yet prevent activities for which they do not. Security patches ensure that operating system bugs are fixed so attackers are prevented from using the system for unintended purposes.
What is the Security Patching Process?
The patching process is lengthy and involves individuals and teams worldwide. It all starts with investigators; they seek out software flaws and, when found, report them to a central watchdog. The bug report is then validated and assigned a severity ('CVE') score from 0 to 10, with 10 being the worst case.
It is then passed to the software vendor, whose job is to create patches for those flaws.
What is a Zero Day?
When a production software vulnerability is identified, the flaw is termed a 'zero-day' (the vendors have had zero days to create a fix). A zero-day is high risk because attackers know the vulnerability is freely exploitable.
Once fully tested, patches are released by the vendor with instructions on how to deploy. The exact steps taken depend on the system: typically, computers continually monitor patch information from the vendor and compare it to its list of those already applied.
This risk of exploitation means that security patches should be applied as soon as they are released. In practice, the deployment is often staged to avoid undue disruption and only patches for the most severe vulnerabilities are applied immediately.
Microsoft security patching process
Microsoft, like other operating system vendors, offers an online feed for patching. Windows computers connect to that feed to obtain notifications of update availability. The update service can be configured to automatically download, install and reboot the computer.
How to Minimise Disruption During Server Security Patching
No business can afford to be offline for long periods. As servers provide central services to multiple devices, security patching has to be actioned without causing significant disruption. In some cases, there is a maintenance window when services can be offline without detrimental effect.
The alternative is to deploy multiple redundant servers in a cluster. This enables one of the units to provide service while taking another device offline to perform security patching. In the battle against rigid thinking, Flex IT provides options that minimise disruption.
The Challenge of Network Security Patching
Network devices are a challenge, as they provide connectivity between computers and segregate traffic in different security zones - for example, guest and private networks. Vulnerabilities in such devices allow attackers to gain a foothold in an otherwise secure network and remain connected for some considerable time without being detected. This enables attacks on other network devices or it can be used to inspect traffic traversing between devices. In both cases, it can lead to a bigger breach unless detected and patched.
Protecting Personal Data by Patching Applications
Some applications handle sensitive data, so you want to avoid an attacker inspecting and manipulating such information. The longer the vulnerability is left unpatched, the greater the risk that the scale of destruction can escalate. As an example, gaining access to HR data would allow an attacker to launch a very convincing phishing or spoofing attack because they have 'insider' knowledge of individuals and roles within a business.
What issues can arise from security updates and patches?
It is commonly found that a security patch has a negative knock-on effect on the utility or functionality of a piece of software; software that worked correctly before the patch was applied but is now playing up. The reason is that patch testing time is limited due to quick action being of paramount importance. Usually, the initial patch is followed up by a better-tested version that gets things back on track.
Do you Need a Security Policy & Compliance Report for Patching?
Having a Security Policy for patching makes expectations clear. A typical policy will take into account the severity score of the vulnerability, any specific usage details that make an attack more or less likely, and potential knock-on effects of applying the patch. The policy then defines the timescale by which the patches need to be applied; some will be immediate, whilst less important patches may be deferred for days or weeks.
The policy may be supported by a compliance report. This management tool is used to monitor security threats. It details known vulnerabilities, available patches, and actual deployment across a range of computing devices.
Preparing a Security Patching SLA with your IT Provider
In addition to the Security Policy, you may prepare a Service Level Agreement (SLA) with your IT Provider. This defines the timescales of patching over some extent of the infrastructure, to which the Provider will be held accountable, based on their severity e.g. "critical patches will be applied across 90% of the computers within 2 hours".
Security Patching Services
Patching is a core part of a comprehensive security strategy but patches only work if they are installed and the computers rebooted. As this is disruptive, time-consuming, and has a reputation for creating knock-on problems, action is often postponed - sometimes to excess.
Risking the security of an entire IT system should not be compromised by an individual putting convenience ahead of the stability of the business. The security of an ICT system should be part of your cyber security armory and a rigorous, enforced patching schedule is the best practice solution.
If you need assistance with monitoring potential vulnerabilities, understanding risk, and implementing security patching, talk to Flex IT. Contact us on 0333 101 7300 to discuss how we can incorporate patching solutions into your business systems.