Cyber Security Hygiene - Patch & Vulnerability Management

In the previous post I talked about endpoints management and security and a critical part of keeping those devices secure is to keep up to date software, which is easier said than done.

Every day there are zero day vulnerabilities published on various websites and no software maker is an exception, regardless of industry, size, revenue etc. Generally, all zero days have a criticality assigned, which ranges from Low to Critical and if it's published, it means there is generally an exploit and a patch from the vendor to fix it. The common sense action is that you need to patch sooner rather than later, but you generally need to take a trade off approach due to the resource demand this activity has.

I won't go here into a fully fledged vulnerability management program as that is its own function within a Cyber/IT team. I will take a pragmatic, real life approach which applies if you are a start-up or SMB, with limited resources. In this environment, vulnerability management is blended into patch management and there needs to be a defined cycle of applying operating system updates at the very minimum to your endpoints. If we are to take Microsoft as the most present vendor in the operating system space, they issue monthly updates for their Windows system and that will be the patching cycle we would look at doing. The safe way to apply them is to have a Beta group of users/endpoints that the updates are pushed to, to ensure that you don't bring down your entire company due to an incompatible update and after the new update is successful, it can be rolled out to the whole fleet of endpoints.

On top of operating system updates, there are software applications updates, either released by vendors on a cycle or as zero day vulnerabilities. For the regular patches, sometimes the updates happen automatically and there is a risk with those breaking something while in other cases the application needs to be repackaged in your software center and pushed to the users. I would suggest at a minimum that you do a quarterly patch for your business critical software applications. If you have the resources, I highly encourage you to stay on top of zero day, critical or even high vulnerabilities and apply them as soon as possible. If you cannot apply them straight away, make sure you have cyber defense at multiple levels so that if an incident happened, there are other safeguards in place to alert and contain the damage.

Some endpoint and EDR management solutions scan all the software on your endpoints and create an automatic software catalogue of everything that is installed on your fleet of endpoints with details such as the vendor, the version and more. Then they cross reference CVE or other vulnerability databases to show you for each software and endpoint the number of vulnerabilities and their criticality. If you have 500 devices let's say, each running 20-30 software applications, you will most likely find hundreds of 'at risk' entries due to vulnerabilities. It's not dooms day, but it's a good starting point to sort them by Criticality and number of devices it applies to, pick the low hanging fruits first (high number of installs and Critical vulnerability), establish what the risk tolerance is for the company if that issue is exploited and whether there are other controls in place preventing it to occur and then go patching. Being informed and having a 360 degree of all your issues allows you to apply effort where it yields the most return, rather than spraying and praying.

You can subscribe if you'd like to stay up to date and receive emails when new content is published. If you'd like to work together on your IT posture, here is how I can help: askalex.how.