What are "Bad Patches"? The Risks of Ineffective Patch Management
Just as an iPhone regularly alerts to a new system upgrade, computer networks must also update their software to address vulnerabilities, which left unattended could lead to a potential cyber incident.
The importance of patch management was highlighted in a recent webinar featuring Scott Reardon, Director of Global Technical Services at Eze Castle Integration.
Beyond simply complying with expectations, patch management is an essential line of defense in cybersecurity protection. As Microsoft’s President, Brad Smith, once noted, as cyber criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.
Otherwise, they are literally fighting the problems of the present with tools of the past.
“Patch management is really applying new or changing existing code to a software program,” said Reardon. “It stems from enhancements to bug fixes and in today's world it's more popularly associated with security fixes. It is definitely a lot more complex than when I started out in the IT industry.”
That said, firms should be mindful that not all patches are beneficial. Technology and software providers can release “bad patches”, meaning, patches that can cause system downtime or problems with other applications or your systems. This can occasionally happen, even though extensive testing is done in their own environment before a patch is released to the general public.
“I recall a recent issue where if you had a virtual machine and it was set with a static IP address, a Microsoft patch would basically wipe out the configuration of the virtual network card and you would lose communication to it. It is important to understand what patches you are applying, the risks that are associated with those patches that are being deployed, and then testing them in an environment before you deploy them,” advised Reardon.
Even then there is no guarantee that released patches are perfect, having a solid testing methodology can reduce the risk of your IT team deploying bad patches.
Reardon pointed out that Eze Castle Integration had successfully excluded a number of patches for its clients lately, “because working with some of our vendors, we discovered that a patch would cause an issue with a particular application and prevented it from being deployed”.
Working with vendors and developing a patch management strategy takes time and resources, which smaller fund managers simply do not have the luxury of. Ultimately, an effective strategy comes to three key components: people, process and tools.
The RACI Chart
When evaluating your patch management program, Reardon referred to what he calls the “RACI” chart, with respect to the people component, which needs to be driven from senior management in a top-down approach, to set a clear course on how to deal with patch management.
A RACI charts means having responsible people, accountable people, consulting people and informing people.
“You need to elect someone in your organization who is accountable for the success of the patch management strategy. If there's nobody accountable, it's definitely going to fall through the cracks,” said Reardon.
“Then you need somebody responsible for it. That could be the same person as the accountable person, but they need to make sure that they are patching and complying with their patching. So it's one of those things to do and set it up, but then you need to verify that it's working. The only way to do that is by having a responsible individual within the organization dedicated to ensuring that is happening.
“Then you need to consult with other people - a CSO or a security team - to help analyze your risk of applying patches. Here at Eze Castle Integration, we have what's called a security incident response team. So we take those risks and analyze them and understand them to determine what impact this would have on our client base.
“Finally, there is the informed aspect. All business units within your company need to be on the same page regarding the philosophy and maintain a high level of communication.”