Jul 07, 2021
Malware exists to exploit vulnerabilities that are discovered in software. Patches exist to fix those vulnerabilities. Therefore, why do many vulnerabilities remain unpatched? Why is patch management so complicated? Is software patching an art or science?
Unfortunately, security and IT experts don’t live in a patch-everything-immediately fantasy land. Compromises are dictated by the conflicting priorities and interests within large organizations.
People will always be who they are. Humans have cognitive biases that cause them to behave in different ways. The most dangerous of these biases is called hyperbolic discounting. People like to choose smaller rewards over larger rewards that may come later in the future.
When offered a choice between avoiding patch-related headaches now and avoiding cyber attack-related headaches later, most people are drawn to the former. Not all patches are created in an equal way. Some are urgent while others are not. Some can jam third-party applications, others cannot. Some require rebooting, others do not.
The notions of complex systems and organizations, compounded by the irrationality of the human mind and variations in patches themselves, mean that patch management is not a science - it’s an art.
Patch management is an umbrella term for the process of knowing, acquiring, testing, installing and following up on patches. Patch management is important because of the variations in the patches themselves, the total number and complexity of systems to be patched and the complexity of orchestrating downtime in large organizations that are full of different priorities.
Organizations always precede the false idea that security issues go before patches. In fact, it’s the reporting and patching of a vulnerability that often offers cybercriminals the information they need to create an exploit. In other words, the availability of a patch makes security better for those who deploy the patch and worse for those who do not deploy it.
Patch management is a strategy for defending against cyber attacks. Why aren’t organizations patching everything? And why aren’t they automating their security tasks? The reason can be summarized as patch fatigue. There are so many patches to process. Microsoft has released thousands of patches for security updates.
Also, there’s the technical debt issue. IT security experts have to ensure that applying a patch to one system won’t break another. Patch testing impacts the schedules, time and objectives of business users and application owners.
Patch management is an art because it requires ranking, soft people skills, quality vulnerability assessment, awareness of the latest threats, creative thinking and intuition born of experience. Here are some of the major elements of the art of patch management:
Prioritize the functions and systems that are essential to your organization’s business and those that would cause the greatest harm if an attack occurs. An advanced vulnerability assessment service or tool can help you discover where the most threatening vulnerabilities are hiding.
Find the best patch management solution that will help you keep a database of the software, hardware and middleware updates that are available. These will either update automatically or alert users that they need to be manually implemented.
More importantly, a solution should alert admins about all unpatched software in the organization. Reduce the number of tools you are using and invest in a smaller number of solutions that each does more patch management tasks across a wide range of platforms.
In conclusion, patch management is an art. And IT experts, IT organizations and other IT shareholders are the artists. Start implementing the major steps above to turn your patch management system into a masterpiece.
If you need a software patching and patch management tool that can create strong countermeasures against cybercriminals or cyber-attacks, then choose Vicarius. Vicarius is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market.
Not So Fast: Analyzing the FastCompany HackJohn Kilhefner September 29, 2022
How to test application with ZAP - Part TwoJenny R September 28, 2022
How to test application with ZAP - Part OneJenny R September 28, 2022
The World's Worst Hackers Have FlagsPaul Lighter September 27, 2022
Intro to Windows (Win32) APIacephale 4w September 26, 2022