Fail to patch and wait for the pain

security training ts
Credit: Thinkstock

Let’s be honest with ourselves. Who amongst us actually, no really, actually enjoys patching systems? There are outliers to be certain but, by and large there are not many among us who enjoy it. That in and of itself is a problem as this is a fundamental problem. We are collectively missing out on doing foundational elements correctly.

Whether it is patch management, asset management or even something as simple as logging we are often too quick to take the easy way out. As part of something I’ve been working on I have been reviewing the publicly available disclosure notices. What really is striking is the number of times a system was compromised due a missing patch or misconfiguration.

I get it, patching is not as simple as “just patch it”. I’ve lived that life many times over. One stark example I recall was trying to roll out antivirus software upgrade to an enterprise only to stymied by a software hook into Outlook user profiles. The vendor response in that particular case was, “oops”. Have you ever flipped a desk so hard that it became a centrifuge? I came close that day.

I had a discussion with my family last weekend wherein my Mother told me about a laptop at an organization that she does volunteer work for. It had not been patched in years. I was puzzled by this and made the foolish error of asking why. “It won’t work with the projector if it is patched according to the IT guy.”

My head exploded. Bits of my skull were still flying across the alkali salt flats at mach one by the time I regained my composure. “He said that you cannot patch the system because it will no longer work with the projector?” She nodded in the affirmative. “I believe him as he is [age redacted] and he has been doing this job for years.” I was mortally wounded. I’m almost the same age and I’ve been working in this field for longer. The joy of being the child is that you never truly grow up in your parent's eyes.

This sort of fractured logic is something that I have encountered in many jobs over the years. My favorite hobgoblin is the mission critical system that is essential to business function. Invariably this was a system that was created by a summer intern. No doubt at the time that he or she wrote the code it was good stuff but, that was ten years ago in some cases. To say nothing of the fact that it is running on an ancient desktop system with fans so full of dust that you could knit a sweater.

Your systems need to be resilient. You need to be able to sleep at night knowing that, $deity forbid, if they crash that there is a smooth path to recovery. If your systems are not patched to current you are leaving yourself open to all manner of pain from everything from data breaches to systems failing outright.

We can do a better job at this and reduce the risk to our environments by making sure there is a proper patch management process in place. If your systems are patched to current or n-1 where possible there is a better chance, although not guaranteed, that you can avoid downtime.

Patching is not as simple as it should be but, it is not impossible either.

Cybersecurity market research: Top 15 statistics for 2017