Patching software flaws is often a time-consuming and tedious job, but organisations need to have a clear strategy in place which minimises the potential risks involved with deciding when, or even if, to update vital enterprise systems.
Cyber attackers will regularly look to take advantage of systems that haven’t received the latest security updates by deploying malware with exploits that target those particular flaws. That might be as part of an intentional attack on a particular company, or the organisation could be caught in the cross-fire of a more general attack that takes advantage of a particular exploit.
For example, WannaCry exploited EternalBlue, a vulnerability that organisations across the globe had yet to patch when the campaign hit in May 2017. If all the organisations affected by the attack had patched their systems when it was issued – rather than ignoring the warnings to to so – it’s likely that WannaCry would have had a much smaller impact.
Working out which systems need to be updated and when is a challenge for tech chiefs.
“There are some things you clearly need to be patching straight away. There may be others where you need to take a really robust analysis and you need to make a decision on this,” said Jonathan Kidd, CISO at Hargreaves Lansdown.
There’s also the issue of some of these patches potentially causing inadvertent issues or disruption when applied – something which may dissuade organisations from applying them, especially to critical business systems.
“Your patching cycle will be driven by the risks on your estate, in some cases, the risk of disruption from installing it can be greater,” Kidd said, speaking during a panel session at Infosecurity Europe 2019 in London.
But for some systems, even the idea of applying a patch can be a challenge – it’s not unknown for some organisations to be running applications and operations they fear taking offline, because they are concerned they may not come back online if updated.
“There are some cyber legacies which can’t be patched where systems are so old they’ve on for 20 years with a note – ‘please don’t touch, because we don’t know what will happen,” said Ewa Pilat, Global CISO for Jaguar Land Rover, although she made it clear this wasn’t an issue for the vehicle manufacturer.
“For these, you can have some additional security controls, but not all systems are patchable, so the risk needs a proper analysis and assessment to decide what, when and how,” she added.
Taking the time to make that assessment can go a long way to determining the ‘crown jewels’ and what action needs to be taken immediately – as opposed to action which can be delayed, or in some cases, not taken – should the system be entirely isolated, for example.
“This is why it’s important to have that risk assessment. If you’ve got a new estate, you should be patching straight away. But if you have legacy systems, you might take a more cautious approach,” said Kidd.
SEE: 10 tips for new cybersecurity pros (free PDF)
However, the IT and security teams must be careful not to rush into these judgements alone: the business must be consulted in order to ensure the best results.
“We have to have engaging conversations with our business partners who understand what’s the most critical business system – because we can’t define business-critical, only the business can define business-critical,” said Bobby Ford, VP & global CISO at Unilever.
“Once we understand that, we have to prioritize – if we want to be successful as professional security risk managers, we have to be able to prioritize; we cannot secure all systems, so we have to work with the business to identify critical systems and then secure those,” said Ford.
MORE ON CYBERSECURITY