Protecting Enterprise and Small-Medium Business networks from exploits and hacking attempts is not an easy task.
Each year software giants release new systems that bring new features and functionality to Enterprise and SMB companies aiming to increase collaboration, productivity, and generally make life easier for everyone, except IT Managers, System Engineers and Administrators.
Unfortunately history has proven many times in the past that new operating systems and applications are often bundled with a generous amount of security issues which are usually detected after a security incident.
Almost every company, regardless of its size, whether large or small, has faced data breaches and had important data, personal records and financial information stolen. Sadly, most companies never even know about the data breach until it's too late!
For example, in May 2014, the notorious Syrian Electronic Army attacked and successfully stole credentials from eBay. They managed to steal personal records of over 230 million users, compromising usernames, passwords, phone numbers and physical addresses, leaving eBay users vulnerable to identity theft.
Did you know that the PCI Data Security Standard (PCI DSS) provides a framework for developing a robust data security process - including prevention, detection and appropriate reaction to security incidents?
Last month, a huge data breach at P. F. Chang's, the famous chain restaurant, compromised payment information of their customers. Criminals hacked more than 33 restaurants between October 2013 and June 2014 at P. F. Chang's and managed to record the data belonging to an unestimated number of credit and debit cards used at the restaurant's locations. Subsequently, these newly stolen credit and debit cards were put up for sale on the black market. The identity of the attackers is yet to be worked out, and worst of all, P. F. Chang was alerted in June 2014 by the US Secret Service about the data breach! It seems like they were totally unaware of what was happening for a period of over 9 months!
A majority of the machines had data successfully siphoned off them because they had a common problem – they were not fully patched. It is suspected that software used in the machines had vulnerabilities and attackers used the security holes to enter and steal information. Patches are meant to fix flaws in the software, preventing attackers from gaining access through the flaws. However, applying patches in time is something that most users typically delay. The patching cycle too, adds to the security problems.
Typically, vendors issue patches as they discover vulnerabilities in their software. Sometimes, security experts discover a flaw in software and publicize it even before the vendor has had time to come up with a fix. This makes all machines using the software vulnerable to attack.
Furthermore, the very act of announcing a patch makes machines vulnerable until the patch has actually been applied. There is usually a time lag between the announcement of the patch, acquiring it and applying it. Very few people actually apply the patch as soon as it is released, sometimes as an oversight, but mostly delayed - to test if the patch does not cause their business processes to break down.
Attackers make use of this time lag to exploit exposed vulnerabilities. As most attackers take the path of the least resistance, they scan machines until they have located one that has not yet been patched and they get in. Therefore, if you put more effort in patching up front, not only do you keep your own machines protected and up-to-date, your users also remain safe from sundry attackers.
To defeat the attacker successfully, the organization needs to be adequately prepared. The process of securing information is not a static goal, but has to be treated as a dynamic process that requires flexible, skilled and disciplined management with a response cycle that ensures continuous improvement.
Following are a few simple rules that help make the process much easier to handle:
A Systematic Approach
Patching requires the IT team to be ever vigilant and thoroughly systematic. To begin with, everyone must realize the importance of patching and the team effort should generate unselfish cooperation. In today's scenario, apart from the Operating System, software tools from several vendors are also used simultaneously. Therefore, apart from the patches and updates for Windows from Microsoft, the IT team may also have to handle fixes from vendors such as Adobe and other vendors. Relying on updates from the vendors may not be enough - the IT team must also look out for white papers and other product reviews published independently.
Manage Your Assets
Inventory your tools and systems to know what you have. Asset management makes it easier for your IT team to know width of the patch management it has to tackle. The team must be abreast of the installation of any new application, service pack and patch, which makes this an all-time job.
Organize Your Processes
Although there are many good tools for patch management, it still requires the complex process to be handled smartly, with a right strategy and with proper teamwork. If your organization is highly centralized, the IT team can work as a core group, performing the entire asset management and determining the needs and priorities of patching, including testing and rollout.
For geographically distributed organizations, several local IT groups may be the norm. Although communication between the individual groups is important, each group must acquire their own tools and gain independent patching expertise.
Proper patch management requires the IT team to be fully in control while end users are discouraged from doing their own patching, unless IT has provided them with detailed instructions and training for patching.
Automate Your Processes
Nowadays, there are a few good tools available for patch management that can automate the process of patching and they work on multiple platforms. Automating the process relieves the IT team from the tedious process of having to manually test and install each patch.
IT can set the automatic functions to scour for new patches constantly and organize the patches by their importance. They can also automate the process of mapping the company's vulnerabilities according to their priorities against the patches available. This provides them with a clear roadmap of what to patch and in what sequence.
It is evident that companies of every size should give high-priority in correctly patching their systems. Keeping systems up-to-date has proven to be an effective method against targeted attacks seeking to exploit vulnerable systems. Our next article focuses on additional ways to help simplify the patching process for companies. Click Here to read Protecting Enterprise & SMB Networks From Exploits, Hacking & Attacks By Correctly Patching Systems - Part 2.