Large data breaches and other cybersecurity incidents caused by missing security patches make headlines on a regular basis, but what do security patches actually do, and what makes them so important? Read this article to find out.
Modern software applications and the operating systems they run on are incredibly complex, consisting of many interlinked parts developed by large teams of developers, often over the course of multiple years and sometimes even decades.
Given the sheer complexity of modern software, it shouldn’t come as a surprise that virtually no applications are flawless. Some software flaws, also referred to as bugs, cause software to produce incorrect or unexpected results, or to behave in unintended ways.
When these flaws can be exploited to circumvent security measures, they’re typically called security vulnerabilities. A good example is the EternalBlue computer exploit developed by the U.S. National Security Agency (NSA) and later leaked by the Shadow Brokers hacker group.
EternalBlue exploits an unpatched vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol (CVE-2017-0144), allowing an attacker to remotely execute code on the target computer.
This security vulnerability was used by the WannaCry ransomware attack, which affected more than 200,000 computers across 150 countries. It was also used by Russian hackers behind the NotPetya encrypting malware to attack Ukrainian organizations, including banks, ministries, and newspapers, in 2017.
Microsoft released a security patch for the SMB vulnerability in March 2017, replacing the problematic piece of code, which is what all security patches do. Indeed, the process of fixing security vulnerabilities boils down to just two steps. First, a security patch update becomes available. Second, the update is installed by someone tasked with installing patches.
Strictly speaking, there’s a difference between updates and patches even though the two terms are used interchangeably in practice.
Updates add new features or improve how existing features work. Patches, on the other hand, address security vulnerabilities.
Updates and patches are often bundled together when a new version of the updated and patched software application is released.
Regular users often see security patches as an annoyance that interrupts their workflow and forces them to restart their devices. As a result, they often postpone their installation as much as possible, and that’s a critical mistake because the importance of security patches can’t be stressed enough.
Research by ServiceNow, which surveyed almost 3,000 security professionals in nine countries to understand how organizations are responding to vulnerabilities, revealed that 60 percent of breaches were linked to a vulnerability where a patch was available, but not applied.
That’s a lot of potentially costly security incidents that could have been avoided by timely patching, and their consequences can go way beyond the initial financial impact. Below are a few other reasons why patching is so important:
But understanding the importance of security patches isn’t enough. Organizations must also be able to install them as soon as they become available across all devices, which is where patch management comes in.
Patch management is defined by NIST as the systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions, also known as patches, hotfixes, and service packs.
These days, having a solid patch management strategy in place is the only way for organizations to ensure that patches are applied quickly and efficiently. Why? Because 20,142 known vulnerabilities (CVEs) were reported in 2021 alone.
Of course, each organization is affected by only a small portion of known vulnerabilities, but their patching is still a time-consuming process that should be streamlined by adhering to the following patch management best practices.
Any organization that doesn’t have an IT asset inventory is very likely to have at least a few outdated devices connected to its network. That’s bad news because even a single unpatched device can lead to a massive security incident. The good news is that the creation of an IT asset inventory can be largely automated using specialized software.
Once you have an IT asset inventory, you can use it to determine the risk levels of your systems. While all systems should be kept up to date, not all vulnerabilities need to be addressed right away. Knowing which systems are the most critical can help you decide which security patches should be installed right away and which can wait a while.
Patches are supposed to make software better, but they don’t always achieve this goal. That’s why organizations should first test them on a small subset of unpatched systems before rolling them out to the rest. Patches that cause issues should be skipped until the causes of the issues are addressed.
Not only does software consolidation cut licensing costs, but it can also make patching easier by reducing the number of software vendors and software tools, which means fewer patches to install. Again, an IT asset inventory makes it easier to spot pieces of software that overlap in functionality.
When it comes to security patching, it’s not a good idea to rely solely on automatic software updates. Organizations should also keep up with vendor patch announcements. Such announcements provide detailed information about patched vulnerabilities and their implications.
Security patches help organizations keep dangerous cyber threats at bay, so it’s paramount to install them as soon as possible. The patch management practices described in this article can help achieve this goal, and we at Aligned Technology Solutions can help you implement them. Contact us for more information.
The Android operating system isn’t immune to security vulnerabilities, which are regularly described in the Android Security Bulletin. Android security patches created by Google and device manufacturers themselves address these security vulnerabilities.
Network devices, such as routers, switches, and gateways, receive security patches just like desktop computers and smartphones, and all available patches must be installed promptly to prevent cybercriminals from gaining control of the devices.
Patching is the process of applying code fixes to improve the security of a software application, operating system, or device.
The term security patch level is used to describe the identifier of the most recently applied patch.
A patch management policy is the formal description of all the processes related to the distribution and installation of security updates and software patches in general.