Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/22/2016
12:00 PM
Ashley Leonard
Ashley Leonard
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Problem With Patching: 7 Top Complaints

Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment.

A term that’s cropped up recently among IT managers is “patching fatigue,” referring to the overwhelming number of patches organizations need to keep their IT environment up-to-date and secure. 

According to the 2016 IBM Security Report, which covers 18 years of patches, there are over 100,000 known vulnerabilities, which works out to around 5,000 a year per device. Only a few hundred would affect each device in a network at any time, but these security risks pile up quickly. Even with a small environment, that’s a monumental task. It’s no wonder “patch fatigue” has caught the attention of many IT departments.

Tripwire recently conducted a survey of nearly 500 US-based IT professionals about their struggles to keep up with patching. Based on the Tripwire data, here are the seven top complaints about patching – and suggestions for streamlining the process. 

Complaint: Patch Management Is Too Time Consuming.  No matter the size of the organization, whether it’s a few hundred or over a 1,000 endpoints, patching can take hundreds of hours every month. There’s also added concern if a patch requires a system restart, more so for servers, as significant downtime and lost business is a likely result.

What To Do About It:  Deploy a patch management tool that automates the patching process during maintenance windows where the business is least affected, usually during weekends or after hours. It also helps to focus first on mission critical patches and identify areas that are most vulnerable.

Complaint: It’s More Than Microsoft And Operating Systems. The patching process isn’t limited to Windows or other operating systems. Third-party applications also have patches and not all the patches are created equal. Vendors like WordPress are relatively simple to update, but Java and Flash are often major pain points.

What To Do About It: Ideally, the patch management tool also operates with major third-party vendors. It’s imperative to identify what software is on which devices. If a department or collection of devices share similar software, then grouping the patches together will save time and resources.

Complaint: Java And Flash, The Problem Children. Two of the largest contributors to patch fatigue are Java and Flash because they are typically bundled with other products. Bundling creates version control issues as it’s difficult to know which patches for Java and Flash were deployed to which devices.

What To Do About It: Having an inventory tool is the best way to manage this issue. Properly scanning each device for the software and software version will enable proper patch deployment and remove guesswork.

Complaint: Structured Scheduling And Critical Fixes. Patch Tuesday is Microsoft’s monthly release cycle – always the second Tuesday of the month – providing updates for its catalogue of products. While many IT managers would rather have critical fixes released on an as-created basis, the schedule has eased the burden for many IT managers. Companies like Apple, however, release on an intermittent basis, so if the environment has various operating systems, there’s a greater challenge.

What To Do About It: Get on a schedule. The schedule doesn’t have to match Microsoft’s, though many IT departments implement a Patch Saturday. It’s recommended to take one period during the month to patch devices. Rotating through groups of devices for less-critical patches helps spread the workload. Patching needs to take place quarterly at a minimum, otherwise it’s too dangerous for network security.

Complaint: What Version Is This? Windows 10 Branching. Microsoft’s new strategy for Windows 10 involves updating the OS in two different fashions. Long-term servicing branch (LTSB) is the familiar Windows update with security updates and bug fixes, but alternatively customers can use the current branch (CB), which includes new features. New features help end-users, but testing and possible system downtimes are the most immediate drawbacks.

What To Do About It: Test before updating to the CB. If the business has legacy applications tied to older OS versions, then updating to the current branch is probably unadvisable. Staying up to date is important, but not at the cost of doing business.

Complaint: Don’t Deploy Every Patch.  The Common Vulnerability Scoring System (CVSS) is an industry standard methodology to classify how critical a patch is to a device. But what matters most is how critical a patch is to a device in the business network. Many patches can be ignored due to vendor-issued severity, and conversely, patches not rated highly among most devices could be critical to the environment.

What To Do About It: Controlling the selection of missing updates, especially those with serious consequences if not deployed, lessens the potential impact. A patch management tool that also identifies patches and gives greater clarity limits the strain.

Complaint: Patching And Vulnerability Management. Patching and vulnerabilities are frequently intermingled terms, but they are not interchangeable. Even after patching, there are still vulnerabilities that may exist in the network and it’s important to identify where these potential pitfalls exist, typically in legacy applications and older OS versions.

What To Do About It: Patching is the first step for securing an IT network, but the job hardly stops there. Gaining a thorough understanding of the IT network through accurate reporting will identify areas of concern. It’s also important to remove discontinued products; this alone mitigates many problems. But until devices begin self-upgrading or self-patching, it will continue to fall to the IT manager to discover the best way to manage each challenge and relieve the many headaches associated with patching fatigue. 

Related Content:

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Ashley Leonard is the president and CEO of Verismic Software, a global industry leader providing cloud-based IT management technology and green solutions. He is a technology entrepreneur with 25 years of experience in enterprise software, sales, and operational leadership. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/6/2016 | 2:41:14 PM
Re: Suggested errata/addendums
Some major websites/companies (most notably, perhaps, Google) have hopped on board with HTML5 alternatives, but yep, Flash is still out there, around, proliferating in the sunlight waiting to drag us into the shadows.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/4/2016 | 6:33:16 AM
Re: Suggested errata/addendums
@RyanSepe: Excellent point, which I didn't even think of!  Who installs Flash on their *servers*?  :/
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:14:55 PM
Re: OS Vs. Apps
I agree with you, that's why app security is pivotal. Ingrain security at the development level and you will cut out a lot of future security headaches.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:13:47 PM
Re: patching - the never ending story ...
It's necessary. In security there will never be a silver bullet and its difficult to think of a world where patching doesn't exist. Build a steel vault and someone invents a contraption to melt steel. It will always be ongoing. Its those who get fed up with the process and let it go for long periods of time that are losing the fight.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:11:34 PM
Re: Suggested errata/addendums
Thats exactly the problem, legacy applications. I was going to comment to that on your previous post. As you said, maybe not an issue for the personal user but from an enterprise perspective its a huge issue.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:33:53 PM
Re: patching - the never ending story ...
"... then you need another patch to fix it ..."

Exactly. Never ending loop, patching the patch. That is what our experience is with Microsoft. Constant release to close a loop holes are actually waste of effort, time and money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:31:19 PM
OS Vs. Apps
 

Today, there is more problem with the apps than the OSes. Certain apps are vulnerable and they are used to exploit vulnerabilities in the OSes. Apple might have gotten this right from the beginning, maybe both Apps and OSes should be part of a closed system to avoid attacks with a least effort. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:30:51 PM
Re: Suggested errata/addendums
"Flash is definitely a pain point ..."

Easy to remove but main questions for many companies are around their legacy applications. Most likely some of those critical apps would not be functional without it.  I know some of the companies are still suck with IE6.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:28:01 PM
Re: Suggested errata/addendums
"... The real solution for Flash is to JUST GET RID OF IT. ..."

Are we still using it? I thought we already dropped flash and java ; I do not have in my laptop and I do not miss it. Moderns apps are not using it so, we will not need them soon. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:25:44 PM
Better platforms
 

We may need better platforms to avoid this much patching in our data centers. Good old mainframe days you were lucky if you could get patch every two years. :--))
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27743
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
CVE-2020-1915
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
CVE-2020-26878
PUBLISHED: 2020-10-26
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
CVE-2020-26879
PUBLISHED: 2020-10-26
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
CVE-2020-15272
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...