Get all your stuff patched, then we'll talk
The title of this article, “get all your stuff patched, then we’ll talk”, was spoken by a security expert on a podcast I recently heard. Since I listen to so many security podcasts, I sadly can’t give attribution to the originator. This is unfortunate, given how much we can learn from this seemingly simple statement.
In my article Pursue simple, get fancy later, I made the point that with all of the focus on “fancy” security products, designed to solve all the world’s security problems with a single purchase, people are ignoring the fundamentals that would arguably keep us even safer for less money. Patching is the most basic and probably most important of all of these.
Since I recognize that some might not understand exactly what patching involves, let me explain with an analogy. I own a 2014 Ford Fusion. I drove if off the lot close to two years ago, and other than oil changes, it has experienced no issues. Some months ago, I received a notice from Ford that my vehicle had been recalled due to a potential defect in the visual display system. Ford believed that the car was without issue when they delivered it to me, but based on customer and service department feedback (with possibly some help from the government), they identified a defect, figured out how to fix it, and let customers know they needed to stop by their dealer’s service department.
Software functions quite similarly to the above car analogy, except for the fact that the opportunity for defects in software is much, much greater. To further complicate the problem, there are loads of hackers around the world that just love to find and exploit such defects.
Given the number of defects found in software, most vendors have a formal process for tracking and correcting issues, and releasing patches to implement the corrections. The issue of software defects gets further muddled by the fact that the corrections themselves often have issues which must in turn be fixed.
In the early days of Windows and application software, these defects were often annoying to the user, but did not pose any appreciable security risk. Now however, we have an entire industry focused finding and exploiting defects to allow for the commission of illegal acts, ransomware being a good current example.
Recognizing the danger, most software companies have provided various automated means of applying such patches. The idea is simple on the surface - the software phones home periodically, asking if updates exist. If they do, they get downloaded and installed. For Windows itself, prior to Windows 10, a process called Windows Update handled the update process, under some degree of control by the user. As of Windows 10, the process happens invisibly, with no ability for the user to control it, except for customers with corporate licenses.
The automated update process sounds simple on the surface, but it quickly breaks down. When users assume some control, they tend to postpone updates to avoid interfering with their work. When they cede all control to automation, they take it on faith that the update process is working. Sadly, update automation breaks down with some frequency.
I had one customer infected with ransomware a few months ago, probably due to the Windows Update process breaking down. For another customer for which I just implemented managed security, I found one key PC that had not applied automatic updates for 6 months, and would not even process them manually. Issues with Windows Update are all too common.
The challenge of patching grows exponentially given the typical number of additional software applications installed on a PC. Most of these programs will have vulnerabilities identified sooner or later, and must themselves be updated. As with Windows, many will prompt for user approval prior to installing, which may be delayed, and others will fail invisibly.
Sadly, the challenge of patch management has no easy answers. There are some things you can do to improve your chances:
Enable automation for all possible software, and if you get prompted to approve an update, let it install.
Check Windows Update periodically to make sure updates are not accumulating. In Windows 7 and earlier, use Windows Update in Control Panel. For Windows 10, use Updates & Security under Settings. For offices with many PCs, spot check a group of them each week, as I suggest in How to Avoid Ransomware.
Have a monthly patch day, where you check each of your application packages for currency. Check each vendor's web site for the current version, and verify against what you have installed. Manually apply updates as necessary.
If the process seems a bit overwhelming, consider a managed security service, which includes monitoring and of patches for Window and various applications. There are a variety of service providers that offer patch management.
Bottom line -- nobody claimed patching was easy, and it gets harder each month. The stakes are high however, given the number of well-funded hackers just waiting on you to make a mistake. Fail to stay on top of it, and you will be a vitcim, sooner or later.