What are "Bad Patches"? Risks of Ineffective Patch Management
Just as iPhones regularly alert us to a new system upgrade, computer networks must also update their software to address vulnerabilities, which left unattended could lead to a potential cyber incident.
Whilst we navigate through this landscape of uncertainty, firms are encouraged to educate themselves on poor patch managment and subsequently address any loopholes in their IT infrastructure, to avoid falling victim to the many fraudsters and hackers out there who are just waiting to strike.
Beyond simply complying with expectations, patch management is an essential line of defense in cybersecurity protection. As Microsoft’s President, Brad Smith, once noted, as cyber criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise, they are literally fighting the problems of the present with tools of the past.
Patch management is applying new or changing existing code to a software program. It stems from enhancements to bug fixes and in today's world it's more popularly associated with security fixes. Effective patch management has become more complex with time as the threat landscape is more sophisticated. Thus, investment firms are encouraged to regularly monitor their infrastructure and implement prompt fixes as necessary.
With that said, firms should be mindful that not all patches are beneficial. Technology and software providers can accidentally release “bad patches”, meaning, patches that can cause system downtime or problems with other applications or your systems. This can occasionally happen, even though extensive testing is done in their own environment before a patch is released to the general public.
For example, if you had a virtual machine and it was set with a static IP address, a Microsoft patch would wipe out the configuration of the virtual network card and you would lose communication to it. Therefore, it is important to understand what patches you are applying, the risks that are associated with those patches, and then testing them in an environment before you deploy them.
Unfortunately, even then there is no guarantee that released patches are perfect. Therefore, having a solid testing methodology can reduce the risk of your IT team deploying bad patches.
At Eze Castle Integration, we've helped our clients to successfully avoid a number of such patches. Through working with some of our vendors, we look out for patches likely to cause an issue with a particular application, and prevent it from being deployed.
Working with vendors and developing an effective patch management strategy takes time and resources, which smaller investment firms simply do not have the luxury of. Ultimately, an effective strategy boils down to three key components: people, process and tools.
The RACI Chart
When evaluating your patch management program, we advise following the “RACI” chart with respect to the people component, which needs to be driven from senior management in a top-down approach, to set a clear course on how to deal with patch management.
A RACI charts means having responsible people, accountable people, consulting people and informing people. You'll need to elect someone in your organisation who is accountable for the success of the patch management strategy. Without a dedicated individual accountable for effective patch management, it is likely to fall through the cracks and consequently expose your firm to many vulnerabilities.
You'll then need an individual responsible for the strategy. This could be the same person as the accountable person, but they need to make sure that they are patching, complying with their patching strategy and verify that it's working. The only way to do that is by having a responsible individual within the organisation dedicated to ensuring that this is happening.
Next, you'll need to consult with other people - a CSO or a security team - to help analyse your risk of applying patches. Here at Eze Castle Integration, we have what's called a security incident response team. We take any associated risks, analyse and understand them, to determine what impact this would have on our client base.
Finally, there is the informed aspect. All business units within your company need to be on the same page regarding the philosophy of your strategy and to maintain a high level of communication.
We hope you found this article helpful. You may also want to check out our webinar on the importance of patch management for deeper insights into this topic.
For more information on how ineffective patch management can leave your investment firm exposed to potential threats, read our full whitepaper here.
Editor's Note: This article has been updated and was originally published in March 2019.