Poor Patch Management in Cybersecurity
This article is part of a series where we look at a recent NSA/CISA Joint Cybersecurity Advisory on the top cybersecurity issues identified during red/blue team exercises operated by these organizations. In this article, you will find a more in-depth look at the specific issue, with real-world scenarios where it is applicable, as well as mitigation strategies that can be adopted to limit or overcome it. This expands on the information provided by the NSA/CISA report.
Even years after being widely reported and known, systems vulnerable to the Log4j exploit are still accessible online. This enduring vulnerability highlights a critical failure in patch management practices. Systems that remain unpatched against such well-known vulnerabilities are, in essence, open doors for cybercriminals, often leading to swift and uncompromising exploitation.
The log4j example is just that – a very loud example of poor patch management and its direct impact on the cybersecurity positioning of organizations. The truth is that the lack of a consistent, reproducible, auditable and responsive patch management strategy is still the root cause of very costly incidents and business problems. Maybe, just maybe, the practices used 20 odd years ago are no longer applicable to a threat landscape that has evolved beyond the scope of what was once considered an efficient patch deployment timeframe.
Reasons Behind Poor Patch Management
Lack of Approval from Higher Management
Often, there’s a delay or outright refusal to approve downtime for patching due to business continuity concerns. While this is defensible from a business perspective, it fails to account for the incurred losses and disruptions caused by not doing it in the first place, which will (always?) far outweigh the disruption happening during a planned and scheduled maintenance window.
The reboot of systems or services post-patching can lead to significant business disruption. And if disruption is the main reason not to approve timely response to emerging threats, there are also solutions to address it, as listed below.
Deciding what to patch first within narrow maintenance windows is a daunting task, especially in complex IT environments. The solution to this particular concern is akin to Columbus Egg – don’t prioritize at all, and adopt a patching strategy where you simply patch everything. Criticality and severity of different vulnerabilities are often environment specific, or at the very least heavily influenced by environmental variables uncountable during evaluation and scoring. So, even when prioritizing just the highest risk vulnerabilities, you may still be missing others that are relevant to a particular setting.
In many cases, the lack of adequate resources hampers the ability to implement timely patches. When working with severely resource-constrained teams, automation is the most efficient way to mitigate the problem. Automate every aspect of the patch management process – testing, deployment, prioritization and reporting – and you can lower the required resource cost. While not a magical solution per-se, it is a step in the right direction.
The Consequences Are Real
Regardless of the reasons, an unpatched system remains a vulnerable one. The inclusion of poor patch management in the NSA/CISA report underlines its significance. The consequences of inadequate patch management are not hypothetical; they are a real and present danger to organizational security.
Time for a Change in Practices
If traditional patch management practices are failing, as evidenced by ongoing vulnerabilities, it’s time for organizations to consider alternative approaches:
A method that allows for disruption-less, efficient, and rapid deployment of patches. This approach can significantly reduce the window of vulnerability without impacting business operations.
Automated Patch Management
Implementing automated systems for patch deployment can ensure timely updates and reduce the human resource burden.
Regular Security Audits
Conducting frequent audits to identify and prioritize vulnerabilities can streamline the patch management process.
Poor patch management is a critical issue in cybersecurity. The persistence of vulnerabilities to well-known exploits like Log4j is a testament to the need for more effective patch management strategies. Organizations must recognize the gravity of this issue and adopt practices that ensure timely and efficient patching to safeguard their digital assets.