DriveLock Blog | IT Sicherheit und Cyber Security

11 reasons why patch management is not sufficient

Written by DriveLock | Jan 25, 2019 7:58:00 AM

In today's rapidly evolving digital landscape, prioritizing the safety and stability of your systems is crucial. Given the increasing sophistication of cyber threats, patch management emerges as a potent defense strategy to safeguard your organization against potential vulnerabilities and security breaches. In 2017, WannaCry Ransomware spread to 100 countries over a weekend. Don't expect patching to stop the business model of digital blackmail. Be prepared! 

 

TABLE OF CONTENT
  1. WHAT IS PATCH MANAGEMENT?
  2. WHAT IS PATCH MANAGEMENT IN CYBER SECURITY?
  3. WHY PATCH MANAGEMENT IS NOT SUFFICIENT
  4. DEFENSE-IN-DEPTH STRATEGY IN PATCH MANAGEMKENT

 

There is no lack of knowledge among security departments when it comes to securing infrastructures. New technologies bring great advantages but also risks. Some experienced attackers may use zero-day attacks that exploit previously unknown vulnerabilities for which the software vendor has not yet released a patch. We will delve into the fundamentals of patch management, its significance in bolstering cybersecurity, and effective practices to streamline the patching process. Let's explore how a proactive approach to patch management can safeguard your business from emerging threats and optimize your IT operations.

A. What is patch management?


Without proper knowledge or control of the software used in a company, defenders cannot properly protect their assets. When new vulnerabilities are announced, a race begins. The time between the announcement of a vulnerability, the availability of a vendor patch, and the actual installation on each computer is short.

Patch management is important as part of a holistic, multi-layered security approach. However, the more patches are released, the greater the effort, and the more resources cannot keep pace.

It is a process of identifying, testing, developing and installing software updates on the devices. It also closes security gaps in the operating system and thus possible entry gates. However, this can only prevent attacks that have previously exploited the closed vulnerability. This does not prevent the execution of malware or ransomware.

Almost 90% of all security breaches are due to known vulnerabilities. Therefore patching often does not lead to the desired goal. For example, Microsoft alone publishes over 300 patches per year, only a fraction of which are needed at all. Together with third-party vendors such as Adobe, Oracle and others, the number of patches can grow to a considerable size that is no longer manageable.

 

B. What is patch management in cyber security?


Attackers are aware of this problem and can attack unprotected systems at any time, e.g. by phishing. Attacks can take advantage of new hardware that is installed on the network but not configured and patched with appropriate security updates. Even devices that are not visible from the Internet can be used by attackers who have already gained internal access and are hunting for internal pivot points or victims.

Unlike IT systems that IT teams replace or upgrade every three to five years, Industrial Control Systems (ICSs) often have a even longer shelf life in OT production environments. It’s not uncommon for an OT system to remain in production for 10 years or longer. This creates several challenges for security pros because: Legacy ICS patching is made more difficult by complexity and availability requirements.

In an environment optimized for uptime, patching systems can create operational disruptions, which means it doesn’t always receive highest priority. For organizations that must respond to a cyberattack, patching and remediating systems is not something that security pros can do in real time, which only further increases the operational disruptions.

Applying patches to ICS components presents a challenge to system administrators, because system updates and patches can interfere with the ICS function. A patch to an ICS component could change the way it works, resulting in component failure or loss of functionality.

Possibly even legal regulations prevent the implementation of security updates, because otherwise the systems would have to be recertified.

 

Difference between patch management and vulnerbility management

Patch Management:

  • Patch management involves the process of managing and applying software patches or updates released by software vendors to fix known vulnerabilities, address bugs, and enhance the functionality of software applications or operating systems.
  • The primary goal of patch management is to keep systems up to date and secure by promptly applying patches that close identified security gaps.
  • It focuses on identifying, evaluating, deploying, and monitoring patches to ensure they are effectively and timely applied to the systems.

Vulnerability Management:

  • Vulnerability management is the process of identifying, assessing, and treating security vulnerabilities in systems, networks, or applications, regardless of whether patches are available or not.
  • The main objective of vulnerability management is to discover potential weaknesses and mitigate risks by implementing appropriate measures, such as patching, configuration changes, security policies, or other security controls.
  • It encompasses continuous monitoring, assessment, and prioritization of vulnerabilities, as well as the proactive application of security measures to minimize risk.

C. Why patch management is not sufficient?

  • Old OS versions are no longer provided with updates which makes patch management ineffective.

  • Cannot prevent malware or ransomware from being executed.

  • Attacks via USB/removable media cannot be prevented.

  • BadUSB attacks cannot be prevented either.

  • On a fully patched system, an encryption trojan can still be used.

  • Offline systems can not be patched at all or only with great administrative effort.

  • Patch management requires a high administrative effort: probe, test, distribute, validate patches.

  • In the production environment, the time window is limited to distribute patches promptly.

  • Most patch installations require reboots and affect the production of end users and machines.

  • Regulations prevent the implementation of security updates.

  • Many serious vulnerabilities are not caused by coding but configuration problems.

 

D. Defense-In-Depth Strategy in patch management


Enforcing secure system configuration and preventing zero-day attacks are even more important because of the above issues. DriveLock offers a defense-in-depth strategy with holistic multilayer protection. The goal is to protect data against attackers from the outside and the inside whilst protecting vulnerabilities from being exploited.

Application Control securely protects against all known and unknown threats such as Zero-Day-Exploits, WannaCry, Ransomware or Bad USB in a future-proof manner. With Application Control you decide, which applications are allowed. There is no impact on the performance of the system: even during full Whitelist-mode, the effort of implementation is far less than with comparable solutions.

DriveLock Device Control controls all removable media and devices. Systems with a defined and certified state, which may not simply be changed or patched, can be initially sealed and permanently protected with DriveLock Application Control.