And Why Executives Should Care…
Threats to network security seem to get announced weekly. Global ransomware attacks like WannaCry cause havoc around the world and billions of dollars in losses. Businesses are actually shuttering due to network attacks that disable, and even delete, critical data and infect supporting IT Systems. These threats are said to be the fault of bad actors who want to destroy our businesses or extort money from us. The reality is a little more complex, and some of the threat can come of third-party software patching practices.
Often a simple lack of software hygiene and proper vulnerability patch management can pose a significant, and preventable, threat to cybersecurity. Nearly every major attack we’ve seen has exploited known vulnerabilities that had patches available to close them. While thousands of companies suffered, the impacts of the attacks were avoided by those who were serious about closing vulnerabilities through software patching.
While many companies are somewhat effective at patching core Operating System (OS) software, they are far less disciplined at keeping third-party software current. Third-party software is software that works with an operating system, but is written by professionals not associated with the operating system maker. Software such as the Adobe Suite, Java, and even iTunes and the Firefox browser, require consistent patch hygiene. Mid-sized and large enterprises can have literally tens of thousands of instances and hundreds of software variants in their organizations. Even small companies have a variety of software being leveraged in daily operations. Every single piece of software, if left unpatched, is a door to attacking a system.
Keeping software secure from vulnerabilities through patching can be complex and time consuming. It often involves after-hours work and system downtime. It takes planning and post-deployment testing. With that said, we cannot forget that including third-party patches in the software patching process is critical.
Patching is the single most impactful defensive action we can take. In order for patching to be effective as a defense, it has to be as close to 100% complete as possible. It only takes one unpatched system to be a launch point for a cascading attack…don’t be the next victim.