What is patching and why is it important?
Patching is the act of updating your devices, software or firmware (the software that makes a device function) to the latest version of release, which generally removes or "remediates" issues that have been identified with the original code.
On a monthly, weekly, daily, hourly, minute or per second basis, vulnerabilities are identified with software (firmware, operating systems and applications). These "Vulnerabilities" may be minor risk (causing some crashing of your systems or stops) or quite major, in terms of allowing bad-actors into your systems and releasing your precious data into the public domain.
Each and every identified vulnerability receives a CVE code, stored here, or Common Vulnerabilities and Exposures, code which is allocated to every vulnerability discovered and allows everyone to identify the risks associated with that CVE.
After a CVE is allocated, a CVSS, or Common Vulnerability Scoring System level is attached to the vulnerability, which scores its risk out of 10. The higher the score, or closer to 10, the bigger the risk that the vulnerability is to any company or system.
What systems are at risk?
Any and all systems are at risk of vulnerabilities; computer code is written by humans and their small errors or admissions can cause vulnerabilities, likewise, what is "best practice" today, may tomorrow be found to be flawed and therefore coders who had secure code today, may have exploitable code tomorrow.
Contrary to belief, AppleMAC is as vulnerable as any operating system and device and therefore requires patching just as any other system does.
Why Patch?
The act of patching is to deploy an update to remove, remediate or eliminate a CVE and may in some cases also include upgrades to the underlying device software. Removing any CVE is a good thing as a low CVSS scoring CVE today may become a high scoring CVE tomorrow as those bad-actors start to write exploits (a way of using that vulnerability) and they become widely used.
What should I patch?
Everything, Operating Systems, Applications and Firmware on all devices, that is Laptops, Desktops, Tablets, Phones, Switches, Routers, Firewalls, NAS Boxes, Hard Disks, Phone Systems, White Boards, TV's, Smart Room Systems, Door Security Systems - basically EVERYTHING!
How often should I patch?
Cyber Essentials (thus advice from the NCSC, the National Cyber Security Centre, part of GCHQ) is that all Critical and High CVSS scoring CVE's should be remediated (patched) within 14 days of the patch release. For Cyber Essentials this is not advice but a requirement!
This of course is a good idea, however, the sooner you patch something, the sooner you are protected from the risks of that particular CVE.
Why is more frequent patching a good idea?
In reality, if you patch more often you are changing less code on your system and there is more chance that the vendor has tested the patch based on your system code status (i.e. assumes you have all other recent patches installed) - therefore, its better to patch more often than less often.
As a minimum, every 14 days is recommended but we suggest a weekly patch cycle.
Machine ON TIME required for good patching
It has been found that devices need to remain on and connected to the Internet for at least 8 hours to effectively patch, therefore, if you want to make sure your devices are correctly patched and up-to-date, you need to make sure, at least once per week (easier to remember than bi-weekly) that they remain on for a "maintenance" period where patching can be completed.
What about Reboots?
Reboots are often required to apply patches correctly, therefore we recommend a "maintenance window" for your IT team or Managed Services Provider to utilise for patching an reboots, thus ensuring your patches are applied and you are up-to-date.
What about the failures from patching?
It's certainly true that patches are released that cause issues; its not as common as it would appear, but of course, every manufacturer cannot test their software with every possible peripheral (printer/scanner etc) or every potential device (different hardware manufacturers) therefore issues can indeed occur.
Personally, if you keep an eye on the patch release information and issues, patch a number of days after release, patch frequently and don't leave multiple updates outstanding, you reduce your risk considerably and of course, the odd issue is far better than advising thousands of clients you were exposed and lost all their data.
Reputation is everything - internally, you are impacted, externally your company may not survive.
What about Virtual Patching for End of Life Systems?
This is not an acceptible solution to running end-of-life systems and the NCSC do not support this and its not allowed within Cyber Essentials.
Can I just Automate?
You can absolutely enabled AUTOMATION however you must have some controls in place to deliver assurance - how do you know you are patching and how do you know patching is working.
For example:
- RMM tool alerting your MSP who then remediates any failures
- Users checking weekly and applying any updates / rebooting as required
Automatic patching doesn't deliver assurance, it merely helps deliver patching unless something stops it and how do you catch that something stopping it?