As a small/medium business owner, patch management may be a somewhat foreign topic reserved for your IT personnel. The following provides a summary-level background of patching, which is relevant to business owners in maintaining appropriate security disciplines in their companies.
What is a patch?
A patch is a set of changes to a computer program that provide updates, fixes, and improvements. Primarily, the fixes address security vulnerabilities and other bugs. Also, the patches are designed to improve usability or performance. The patches contain fixes for vulnerabilities that have been identified by numbers assigned via the Common Vulnerabilities and Exposures (CVE) system. This system is maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC). The FFRDC (NCF) is a federally funded research and development center. It supports the U.S. National Institute of Standards and Technology’s National Cybersecurity Center of Excellence. It is the first and only federally funded research and development center dedicated solely to cybersecurity. The NCF provides practical guidance designed to increase the adoption rate of more secure technologies.
Software vendors vary in terms of how they release patches. Microsoft began its patch program in 2003. In the U.S., Microsoft patches occur on the second Tuesday of each month (Microsoft Patch Tuesday) across its operating systems and other products. For example, with the Microsoft September 2018 Patch Tuesday, the company fixed 62 total known vulnerabilities, including 16 critical vulnerabilities. Apple, in comparison, releases patches irregularly and mostly depending upon the severity of the threats.
Microsoft’s Windows 7 operating system is the most widely used operating system in the world. However, Microsoft has indicated there are various security deficiencies associated with Windows 7, which reinforces the need for monthly patching. Also, Windows 7 support by Microsoft is scheduled to end in January 2020. Consequently, Windows 7 should be upgraded by that date.
Most of the critical issues addressed through patching are memory corruption flaws. If these flaws are exploited, they could enable an unauthenticated remote attacker on the system if a current user is logged on with administrative user rights. Once exploited, the attacker can install programs and view, change, or delete data. Also, new accounts could inappropriately be created with full user rights.
Zero Day vulnerabilities are those that are discovered and exploited by attackers before the software vendor becomes aware of it and issues a patch. There have been instances where vulnerability information became public or viruses have been identified prior to the next scheduled patch. In such critical cases, Microsoft will issue a corresponding patch when it becomes available. Most vulnerabilities, however, are discovered in time to test patches and release them as part of a regular schedule.
Microsoft advises businesses to apply security patches as soon as possible to prevent cybercriminals from taking control of its computers.
Sometimes patches can cause more problems than the issue it fixes. If a patch problem is reported, IT personnel can typically defer installing a specific problematic patch while still installing the other patches. Sometimes “rollup” patches install multiple fixes as a single patch, which prevents the ability to test or isolate single patches.
With Microsoft Windows 10, Microsoft issues cumulative updates and occasionally major updates. The cumulative updates include both security and non-security related fixes. Businesses can obtain the security-only updates, if desired, to reduce the risk of incompatibilities. If cumulative patches cause problems, the patches can be rolled back until the issues within the patches are fixed.
David Ruchman is the Chief Technology Officer at powersolution.com, a New Jersey-based IT managed services provider. He explains:
“Given potential issues with newly released patches, our approach is to delay the release of Microsoft Tuesday patches until the last Thursday of each month, with the exception of critical patches that warrant an immediate release. This enables our users to avoid problems associated with patches that may need fixing after release.”
In summary, small/medium business owners do not need to understand the details associated with periodic IT security patch releases. However, they should be aware that patches are critical to maintaining a secure IT environment. Also, they should not rely on individual users downloading patches from software manufacturers. Instead, qualified IT professionals should be managing the patch process to ensure that patches are properly installed and documented. Additionally, problems associated with releasing patches prematurely should be avoided in order to minimize user downtime and further IT issues or complications.