As the number of software applications grows, IT teams are under constant pressure to effectively deploy patch management solutions to reduce vulnerabilities. Last year alone, it was reported that ethical hackers discovered more than 65,000 new software vulnerabilities, with tons being exploited in the wild from Log4Shell to Follina to the Google Chrome Zero-Day. With vendors releasing hundreds of patches monthly, it’s nearly impossible for teams to use traditional patching methods to keep up.
With so much at risk, why are IT and security teams struggling to implement good patch management practices? And more importantly, what could they do differently? To answer these questions, let’s look at six patch management mistakes and how to avoid them.
Mistake #1: Delayed patching
All software has the potential to harbor bugs and create vulnerabilities, which we know hackers exploit. That’s why most organizations work hard to release patch updates. Unfortunately, many of today’s security incidents involve vulnerabilities that IT teams haven’t patched. In fact, according to a recent survey, 78% report they don’t patch critical vulnerabilities within 24 hours, and 12% apply critical patches only when they get around to it. These numbers are staggering.
Delayed patching can have catastrophic outcomes. Just look at WannaCry. Microsoft released a Windows vulnerability patch two months before that attack happened. Organizations that delay patching put employees, partners, and their brand at risk. IT teams should automate the patching process to ensure all patches are updated promptly.
Mistake #2: Letting end users do their own patching
Believe it or not, some enterprises still let users have local admin rights and rely on those users to responsibly patch vulnerabilities. This creates a huge attack surface for an organization. If an application isn’t running properly, allowing admin rights to users can sometimes help solve the issue, but in turn, it creates a brand-new security vulnerability: end-user free will. The hard truth: No IT team should rely on end-users for patching. It’s too risky to extend blanket admin rights. Instead, IT teams should have more granular access policies, letting users install certain applications after inputting their password, but lock down the user’s ability to install anything and everything.
Mistake #3: Relying on Windows Server Updates Services
Many assume that WSUS delivers all the security needed to protect against vulnerabilities. That’s simply not the case. WSUS doesn’t offer the necessary reporting needed to ensure systems are 100% protected. It focuses solely on supplying Microsoft-specific patches and not third-party apps (such as Adobe or Chrome) that might run on a system. But it’s a simple problem to solve. Don’t assume WSUS has all the organization’s security bases covered. Look into solutions that offer cross-platform support, reliable third-party patching, and the necessary reporting capabilities to validate that there’s complete patching coverage.
Mistake #4: Allowing vendors to auto-update
Nearly every operating system and third-party application implements its own auto-updates. At a surface level, this promises great results. But users often can’t install these updates if their devices are locked down, which many IT teams do to ensure updates don’t break critical business applications. Furthermore, automatic updates create a false sense of security and often interrupt productivity if triggered during work hours. Ideally, IT teams would disable auto-updates and instead work against their patch management best practices to quickly evaluate new patch releases, test them, and then push them into production with automated tools.
Mistake #5: Not prioritizing patch and vulnerability risk
Some enterprises – especially those with small IT and security teams – can easily become overwhelmed by the sheer volume of patches, vulnerabilities, and potential threats. But not all risks are created equal. That’s why it’s crucial to categorize patches and vulnerabilities by risk level. Look at any of the severity ratings for the patch or vulnerability and review the organization’s environment to understand the full exposure of risk across the enterprise. If the team has a critical vulnerability on one machine across an enterprise environment of 10,000 devices, there’s a much lower risk than if it had that same critical vulnerability on 5,000 of the company’s 10,000 devices. Once prioritized, focus on applying the most critical updates first.
Mistake #6: Not understanding the big picture
The risk levels at the most protected security environment can still shift daily. For example, Linux devices aren’t protected by WSUS, and applications running on Java are often still vulnerable. A vulnerability with a program such as Google Chrome, can offer malicious actors a way into your company. Can the team see everything? Are they confident all assets are up-to-date and secure? Does the team know where its weak spots are, and do they have a plan to improve overall security posture? When companies handle patch management in a silo, they miss the bigger vulnerability picture. IT teams need to have a strong strategy for every single employee, from administrative assistants to the CEO.
Patch management has changed dramatically over the last five years as organizations try to keep pace with attackers. It’s never been more important for IT teams to have a solid patch management strategy, so consider using the list we’ve outlined here to get started.
Ashley Leonard, founder and CEO, Syxsense