The task of patching software vulnerabilities is a never-ending, and often a time-consuming process, however; when it comes to remediating unpatched vulnerabilities, organizations must have a well-defined strategy in place to minimize the potential risks involved in deciding when to update critical enterprise systems. Unfortunately, quite often, released security patches may have deleterious effects on the devices and systems they are set in place to protect.
What is Patching?
A patch is a set of modifications to a computer program or its supporting data developed to revise, remediate, or update. Thus, this set of modifications is specifically designed to remediate security vulnerabilities and other bugs. Patches are often written in a manner to improve the functionality, performance, or security of a program.
Elaborating, the process of patching allows for the modification of assembled and machine language object programs when the source code is unavailable. This, however, demands a comprehensive understanding of the inner workings of the code by the person or developer creating the patch, which is difficult without close study of the source code.
Although designed with the intention of fixing problems and known bugs, poorly designed patches can sometimes introduce new problems (More on this below.) Further, in unique cases, updates may knowingly break the functionality or disable a device, for instance, by removing components for which the update provider is no longer licensed.
As one may imagine, it is important for an organization to say ahead of the patch management lifecycle of any software programs in use. The process of patching is never-ending, or, at least, as long as the software is in use.
As noted above, many of the discussed patches involved in security. A security patch is a modification applied to remediate a vulnerability in the given asset. This modification is applied to prevent successful exploitation by removing or mitigating a threat vectors’ ability to exploit a given vulnerability found in an asset.
Summarizing, regular, committed patch management is at the heart of any business organization’s vulnerability management. However, as stated previously, sometimes patch management is anything but a straightforward process and involves year-round planning to remain effective. Perhaps this is why so many organizations find themselves leaving the proverbial back door open on this threat vector.
Preliminary Patching Concerns
In particular business scenarios, patches hold the potential of causing unintentional damage or disruption when applied; this is something that may discourage organizations from applying them, especially with respect to critical business systems where any downtime may cost them severely. As one might imagine, this can be a major deterrent for an organization that may reason that they have more to lose by addressing the unpatched vulnerabilities.
Regrettably, this is the pattern of logic and reason that threat actors will look to take advantage of when seeking to exploit an organizations network. Threat actors regularly seek to take advantage of systems that haven’t deployed the latest security updates by deploying malware with exploits that target those unpatched vulnerabilities. Events like this may well be as part of an intentional attack on a target company, or the organization may simply be caught up in a more general attack that makes use of a particular exploit.
In some instances, particularly manufacturing, legacy systems may simply be so old, that even the idea of patching can be a daunting task. For some of these organizations, there is a very real fear of taking applications offline for fear they may cause irreparable damage, or they may not come back online once updated. That said, the sheer incidence of unpatched vulnerabilities is what draws threat actors to investigate these vectors.
Regrettably, a recent analysis report from Bitdefender found that nearly two thirds (64%) of all reported unpatched vulnerabilities involved known bugs with patches dated between 2002 and 2018! This failure to stay on top of patching puts organizations at significant risk of compromise that could, otherwise, easily be remedied had the appropriate established security updates had been applied.
In the current pandemic, a remote workforce has increased the risk factor involved when running machines with unpatched vulnerabilities. To remedy the situation, it is important for organizations to have both a strong knowledge of their network and patching policy in place to roll out patches as they are released. The smaller the lag period between release an application, the narrower the window of opportunity for threat actors to exploit known vulnerabilities.
In the case of systems that cannot be patched for reasons involving business interruption or backward compatibility, it’s critical that these systems be isolated and access tightly regulated to mitigate risk.
Summary & Conclusion
Although a sometimes daunting and tedious task, remediation of unpatched vulnerabilities is absolutely critical to maintaining any level of security. Knowing where to place priority may also create undue stress for a security team. This is where an organization would benefit greatly from enlisting the aid of penetration testing. At Packetlabs, we are very familiar with the challenges of security patching. We’ve worked with organizations across industries and understand the business impacts of patch management. If you would like to learn more about what our team of experts can deliver for your organization, please contact us for more information!