Today our world is more connected and data driven than ever, and this trend is only increasing. Technology is ubiquitous, pervasive and crucial to the functioning of modern society. One thing is true about all technology, it runs on software. Software controls how your computer, your phone, your tv, your vehicle and other digital systems operate-even your pacemaker or other medical equipment. It’s little wonder then that software is so often leveraged by attackers in exploiting today’s modern technology.
Is Your Software Leaving You Vulnerable?
Every day, new software vulnerabilities are being discovered, documented and disclosed. This pace of discovery seems to be constantly accelerating. Inversely, the period of time from discovery to inclusion of an exploit in an attacker’s toolkit is constantly decreasing. Because of this, it’s more important than ever to keep our systems patched, protected and safe from known vulnerabilities.
One of the best ways to keep yourself safe in this modern, hyper-connected world is through patching of software vulnerabilities. One source of information about fresh vulnerabilities is the CVE program, an international standard for identifying cybersecurity vulnerabilities ran by the MITRE Corporation, which publishes regularly on its CVE Twitter feed. Each of these vulnerabilities represents a weakness that an attacker can leverage to cause damage and disrupt your operations.
Exploring Software Patches
The US Cybersecurity and Infrastructure Security Agency (CISA) defines patches as “software and operating system (OS) updates that address security vulnerabilities within a product. Software vendors may choose to release updates to fix performance bugs, as well as to provide enhanced security features.”
CISA and industry cybersecurity professionals recommend installing patches as soon as they become available. Because so many systems go unpatched for so long, attackers will target known vulnerabilities for months and even years after a patch has been released. We are left with the question: why do people not patch software? Or, what challenges (real and perceived) are there to patching software?
Challenge 1: Knowing if a patch is available
Perhaps the most challenging part for most organizations is keeping up with the sheer number of patches available. Understanding the patches available for firmware, software and drivers can be daunting. Many software vendors don’t support auto-download or auto-install of patches. Some software vendors don’t even regularly publish patches, and those that do don’t always publish release notes that make it clear what a patch is accomplishing. Tracking all available patches first requires an organization to have a comprehensive hardware and software asset inventory-a challenge in and of itself. Once an accurate inventory is available, organizations can engineer a monitoring pipeline for available patches.
Challenge 2: Patching software will “break” a stable system
There is a dated and often inaccurate belief in parts of the computing industry that installing software patches will “break” systems that are operating in a stable condition. While this did happen occasionally early in the computing age, it is much less common nowadays.
In the early days of computing, it was common for patches to be released hastily and untested, resulting in unexpected outages, complications in interactions with related systems and frustrated users. In today’s world, most software development teams follow engineering best practices and operate under a formal software development methodology, which greatly reduces the risk of deploying faulty software.
The majority of patches being deployed are high-quality, stable and tested for regressions and other potential problems. While there are still rare circumstances in which deploying a patch can have unexpected results, it is very uncommon. Furthermore, implementing robust configuration management practices and having a rollback plan is a very effective way of minimizing the risk of a negative patch install.
ZenGRC to the Rescue
While the ZenGRC can’t patch your systems for you, it can help you manage your overall information security management system through monitoring of security controls and risks. By implementing appropriate security controls for your organization, you can address common security risks like those posed by unpatched systems.
Sign up for a free live demo to see how ZenGRC can help you assess the cyber risks to your organization. And since ZenGRC is a SaaS platform, RiskOptics takes care of all the patching and updates to the system so you can focus on the core business behind your business.
Check out our webinar, Powerful Cybersecurity Lessons From the Movies, to see our cinema-based cyber risk training.