Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/22/2016
12:00 PM
Ashley Leonard
Ashley Leonard
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Problem With Patching: 7 Top Complaints

Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment.

A term that’s cropped up recently among IT managers is “patching fatigue,” referring to the overwhelming number of patches organizations need to keep their IT environment up-to-date and secure. 

According to the 2016 IBM Security Report, which covers 18 years of patches, there are over 100,000 known vulnerabilities, which works out to around 5,000 a year per device. Only a few hundred would affect each device in a network at any time, but these security risks pile up quickly. Even with a small environment, that’s a monumental task. It’s no wonder “patch fatigue” has caught the attention of many IT departments.

Tripwire recently conducted a survey of nearly 500 US-based IT professionals about their struggles to keep up with patching. Based on the Tripwire data, here are the seven top complaints about patching – and suggestions for streamlining the process. 

Complaint: Patch Management Is Too Time Consuming.  No matter the size of the organization, whether it’s a few hundred or over a 1,000 endpoints, patching can take hundreds of hours every month. There’s also added concern if a patch requires a system restart, more so for servers, as significant downtime and lost business is a likely result.

What To Do About It:  Deploy a patch management tool that automates the patching process during maintenance windows where the business is least affected, usually during weekends or after hours. It also helps to focus first on mission critical patches and identify areas that are most vulnerable.

Complaint: It’s More Than Microsoft And Operating Systems. The patching process isn’t limited to Windows or other operating systems. Third-party applications also have patches and not all the patches are created equal. Vendors like WordPress are relatively simple to update, but Java and Flash are often major pain points.

What To Do About It: Ideally, the patch management tool also operates with major third-party vendors. It’s imperative to identify what software is on which devices. If a department or collection of devices share similar software, then grouping the patches together will save time and resources.

Complaint: Java And Flash, The Problem Children. Two of the largest contributors to patch fatigue are Java and Flash because they are typically bundled with other products. Bundling creates version control issues as it’s difficult to know which patches for Java and Flash were deployed to which devices.

What To Do About It: Having an inventory tool is the best way to manage this issue. Properly scanning each device for the software and software version will enable proper patch deployment and remove guesswork.

Complaint: Structured Scheduling And Critical Fixes. Patch Tuesday is Microsoft’s monthly release cycle – always the second Tuesday of the month – providing updates for its catalogue of products. While many IT managers would rather have critical fixes released on an as-created basis, the schedule has eased the burden for many IT managers. Companies like Apple, however, release on an intermittent basis, so if the environment has various operating systems, there’s a greater challenge.

What To Do About It: Get on a schedule. The schedule doesn’t have to match Microsoft’s, though many IT departments implement a Patch Saturday. It’s recommended to take one period during the month to patch devices. Rotating through groups of devices for less-critical patches helps spread the workload. Patching needs to take place quarterly at a minimum, otherwise it’s too dangerous for network security.

Complaint: What Version Is This? Windows 10 Branching. Microsoft’s new strategy for Windows 10 involves updating the OS in two different fashions. Long-term servicing branch (LTSB) is the familiar Windows update with security updates and bug fixes, but alternatively customers can use the current branch (CB), which includes new features. New features help end-users, but testing and possible system downtimes are the most immediate drawbacks.

What To Do About It: Test before updating to the CB. If the business has legacy applications tied to older OS versions, then updating to the current branch is probably unadvisable. Staying up to date is important, but not at the cost of doing business.

Complaint: Don’t Deploy Every Patch.  The Common Vulnerability Scoring System (CVSS) is an industry standard methodology to classify how critical a patch is to a device. But what matters most is how critical a patch is to a device in the business network. Many patches can be ignored due to vendor-issued severity, and conversely, patches not rated highly among most devices could be critical to the environment.

What To Do About It: Controlling the selection of missing updates, especially those with serious consequences if not deployed, lessens the potential impact. A patch management tool that also identifies patches and gives greater clarity limits the strain.

Complaint: Patching And Vulnerability Management. Patching and vulnerabilities are frequently intermingled terms, but they are not interchangeable. Even after patching, there are still vulnerabilities that may exist in the network and it’s important to identify where these potential pitfalls exist, typically in legacy applications and older OS versions.

What To Do About It: Patching is the first step for securing an IT network, but the job hardly stops there. Gaining a thorough understanding of the IT network through accurate reporting will identify areas of concern. It’s also important to remove discontinued products; this alone mitigates many problems. But until devices begin self-upgrading or self-patching, it will continue to fall to the IT manager to discover the best way to manage each challenge and relieve the many headaches associated with patching fatigue. 

Related Content:

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Ashley Leonard is the president and CEO of Verismic Software, a global industry leader providing cloud-based IT management technology and green solutions. He is a technology entrepreneur with 25 years of experience in enterprise software, sales, and operational leadership. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/6/2016 | 2:41:14 PM
Re: Suggested errata/addendums
Some major websites/companies (most notably, perhaps, Google) have hopped on board with HTML5 alternatives, but yep, Flash is still out there, around, proliferating in the sunlight waiting to drag us into the shadows.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/4/2016 | 6:33:16 AM
Re: Suggested errata/addendums
@RyanSepe: Excellent point, which I didn't even think of!  Who installs Flash on their *servers*?  :/
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:14:55 PM
Re: OS Vs. Apps
I agree with you, that's why app security is pivotal. Ingrain security at the development level and you will cut out a lot of future security headaches.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:13:47 PM
Re: patching - the never ending story ...
It's necessary. In security there will never be a silver bullet and its difficult to think of a world where patching doesn't exist. Build a steel vault and someone invents a contraption to melt steel. It will always be ongoing. Its those who get fed up with the process and let it go for long periods of time that are losing the fight.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:11:34 PM
Re: Suggested errata/addendums
Thats exactly the problem, legacy applications. I was going to comment to that on your previous post. As you said, maybe not an issue for the personal user but from an enterprise perspective its a huge issue.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:33:53 PM
Re: patching - the never ending story ...
"... then you need another patch to fix it ..."

Exactly. Never ending loop, patching the patch. That is what our experience is with Microsoft. Constant release to close a loop holes are actually waste of effort, time and money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:31:19 PM
OS Vs. Apps
 

Today, there is more problem with the apps than the OSes. Certain apps are vulnerable and they are used to exploit vulnerabilities in the OSes. Apple might have gotten this right from the beginning, maybe both Apps and OSes should be part of a closed system to avoid attacks with a least effort. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:30:51 PM
Re: Suggested errata/addendums
"Flash is definitely a pain point ..."

Easy to remove but main questions for many companies are around their legacy applications. Most likely some of those critical apps would not be functional without it.  I know some of the companies are still suck with IE6.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:28:01 PM
Re: Suggested errata/addendums
"... The real solution for Flash is to JUST GET RID OF IT. ..."

Are we still using it? I thought we already dropped flash and java ; I do not have in my laptop and I do not miss it. Moderns apps are not using it so, we will not need them soon. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:25:44 PM
Better platforms
 

We may need better platforms to avoid this much patching in our data centers. Good old mainframe days you were lucky if you could get patch every two years. :--))
Page 1 / 2   >   >>
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...