Good security begins with the endpoint in mind

In my work with new customers, I have yet to find a single one who has even a simple majority of workstations -- or endpoints as they are often known -- patched properly. Since much of the malware in existence takes advantage of known vulnerabilities, endpoint patch management is the front line of network security. This article will review the common excuses for poor patch practices, and offer specific suggestions for improvement.

Let's begin today with a quick quiz: What percentage of the PCs in your business or organization have all of the required patches for the operating system and application software? I'll bet you are tempted to say 100%, since you probably assume that your workstations are set to get updates automatically.

Here is an easier question: Does YOUR workstation have all of the available patches? If you are like most, the answer to either question is no. 

I have performed security assessments for a number of customers, many of whom are quite security conscious, and I have yet to find a single customer who has even a simple majority of workstations -- or endpoints as they are often known -- patched properly. Why, you ask? Here are the common excuses I find.

Ignorance is bliss -- assume the manufacturer/supplier is smart enough to configure a new endpoint properly, so trust their judgment and don't worry about it. 

Our policy is law -- we have a written policy requiring that employees keep their workstations patched and up-to-date, and we trust our people. 

Automation rules -- we verify that all workstations are set for automatic updates, and trust the software to take care of itself. 

Unfortunately, none of the above is a reliable means of ensuring that endpoints remain patched. You cannot rely on the initial software installation to ensure that updates take place automatically. Automation, even Microsoft Windows Update, probably the most proven automatic update mechanism in the industry, breaks down with some frequency. Finally, since updates usually require a reboot, when your employees are given control they will often turn off automation and ignore prompts, so they can focus on their work. It is hard to completely fault them for that. 

If your organization uses Macs instead of Windows PCs, you are not immune to patch issues. The Apple update process, while inherently automatic, often requires some user intervention. As I noted above, employees can be counted on to focus on their work, ignoring or delaying patches. Additionally, Apple users often suffer from what I call "Mac euphoria syndrome," which is the irrational belief that since Macs have traditionally few suffered security issues, they don't have to worry. 

Now, I will be the first to admit that this is a challenging problem for all but the smallest companies. If your organization has three PCs, it is easy enough to put a note on your calendar to check their update status every week, and least for the operating system. By the time you reach 10 PCs, this becomes a major task. More than that, and either more personnel or some automation is required to keep up. 

Even if you have successfully addressed the operating system patch problem, what about application software? At least with Windows, you can fairly easily run Windows Update and check the patch status. Application software patching is much more complicated, because many vendors are involved, each with their own update mechanism. 

I am confident that many of you reading this, faced with a problem you cannot easily solve, are wondering if patch management is all that important in the first place. Please don't talk yourself out of being worried about this issue. A large percentage of PC infections with malware, including ransomware (which is at the top of everyone's list these days), result directly from the exploit of known vulnerabilities. We basically invite the bad actors to attack us by ignoring the patches provided to address problems. 

A good indication of the severity of our patch problem is the fact that many of the vulnerabilities being successfully exploited today were fixed by patches released months or even years ago. SecurityWeek, in a February 2015 article citing Hewlett-Packard's Cyber Risk Report, said that 44% of vulnerabilities exploited in 2014 involved vulnerabilities between two and four years old. Do I have your attention yet? 

Underscoring the importance of this issue is the fact that all of the major compliance standards, including HIPAA, PCI DSS and SOX, reference patch management. It is clear to the authoring organizations that patching is critical to data security. 

Action plan

Hopefully, you are now convinced of the importance of proper patch management practices. Assuming so, here are some things you can do to simplify the process.

Assign someone. Regardless of methodology, patch management will never be done well unless someone is given responsibility for it. The assigned individual(s) must check new PCs for proper patch management settings as they are deployed, and frequently spot-check the settings and update status.

Have a policy and procedure. Arm the assigned individual(s) with a written policy and procedure, defining how the patch management and monitoring process will be carried out on a daily basis.

Log and verify results. The results of any patch checks should be logged, with the log checked by someone else.

Automate. There are a variety of automation tools that can help ensure that patches are deployed. Microsoft's Windows Server Update Service (WSUS) can be a key part of the solution, along with asset management systems like Dell KACE and ManageEngine.

Outsource. There are a variety of managed services providers that can install a small tool on each PC, allowing them to manage and monitor the deployment of patches. If you go this route, you will be better served with a security specialist, rather than a general IT company that provides this as one of a long list of services. 

Bottom line: Even as many of the issues we face with information security seem insurmountable, patch management is something we can do well. The payoff from a robust patch management program is measurable improved security -- well worth the investment.

For more information, visit our Patch Management Resources page.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about AppleDellKACEMacsManageEngineMicrosoftOutsource

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert C. Covington

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts