Today, many cases of attempted cyber-intrusions result from the exploitation of already listed vulnerabilities, for which patches were nevertheless available, sometimes for several months.
While correcting security vulnerabilities should seem obvious to organizations and enterprises, most still struggle to track and manage the process of implementing these updates.
However, the implementation of these patches is essential, as we’ll see in this article, for a good and effective cybersecurity. Indeed, once the vulnerability is announced (very often accompanied by its patch), the race is launched for the hackers. But how fast can a hacker use it and benefit from it before organizations can apply their patches? This is the question that no organization would want to answer in the first place.
But then, what are the real dangers if these patches are not applied? Why some people do not deploy these devices, and how do we patch equipment correctly?
While such intrusion attempts and the dangers they entail may seem rare, they are not: we can see this through two of the biggest cybersecurity cases known in recent years, the Equifax data leak and the Wannacry ransomware. Indeed, these two cases, which at first seem totally unrelated to each other, have one great point in common: both involved malicious attempts by hackers exploiting uncorrected vulnerabilities in servers running Windows 7 and Windows 8.
If the dangers incurred in case of non-correction of vulnerabilities are multiple but not surprising (attempts of data theft, malware intrusions and/or ransomware in your computer system, for example), they are no less serious. We have seen it here through these two high impact cases.
These two cases also highlight the fact that many companies still use Windows 7 or Windows 8 operating systems (despite high penetration rates of 87% and 38%, respectively), which are therefore prime targets. Organizations that rely on these operating systems must be especially vigilant to keep abreast of security patches and apply them in a timely manner.
- But then why some people don’t deploy these patches despite the danger?
First of all, many people – most “private” users but also users in the professional sphere – are not aware of the danger involved and therefore simply ignore the multiple update warnings they receive (waste of time, postponed, or sometimes even do not wish to apply them).
Others, more suspicious, sometimes do not know if the update notification message is real. And by fear, can choose to ignore a patch warning yet legitimate.
Another explanation for the patches not applied also probably comes from the massive use of unlicensed software. Tens of millions of people use illegally downloaded software every day, and many fear that the latest patch will remove or disable their software. This is why, a few years ago, Microsoft decided not to require a valid license to patch an operating system.
- How and when do I patch my equipment?
As far as the timing of the patch application is concerned, it is of course logical that all patches should be applied as soon as possible.
But companies must prioritize their correction strategy and first address critical fixes. One possible strategy is, for example, to focus first on so-called “N-Day” vulnerabilities (already listed) that have already caused breaches in other companies.
By adopting a simplified patch management strategy – including knowledge of patch distribution schedules and defined responsibilities for those involved in assessing vulnerabilities and patches to be applied – organizations can then position themselves to act quickly on patches.
In doing so, organizations can significantly reduce the time between detecting new security vulnerabilities, assessing security vulnerabilities, and applying temporary fixes or workarounds, if necessary.
Finally, as we have seen, if Windows systems are hackers’ favourites, you should know that most operating systems and applications come with automatic correction mechanisms (if you allow them).
Beyond the application of patches, it can be interesting or even judicious for your organization to carry out an audit of your information system, to identify additional controls and actions to be adopted. It is clear that if you do not have a complete vision of your current IT security situation, you will never have a global vision of your strengths and weaknesses, making any vulnerability management strategy difficult.