A lot of organizations have patching programs in place today, but that still doesn’t account for the statistics that show us that 99% of successful attacks involve (and will continue to involve) vulnerabilities that have been known to cybersecurity professionals for at least one year.
The PCI DSS v3.2.1 6.2 standard [note: link opens a PDF] states: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”
In fact, Microsoft regularly releases security patches for its software products which has informally become known as Patch Tuesday. Oracle releases a quarterly Critical Patch Update. Organizations, therefore, have the opportunity to continuously keep their applications and systems patched.
Yet that effort in itself is wholly unrealistic given constraints around resources and costs involved. While organizations do endeavor to follow best practice guidelines, the reality is they simply cannot keep in step with patches.
There are numerous security scanning frameworks on the market that assess and detail patching requirements for organizations. These tools deal with full stack assessment that primarily focus on both security and functional patches as they relate to the Operating System and Application layer itself.
From the 2018 Verizon Security report we can see that Web Applications significantly account for the majority of cyberattacks. It is imperative that organizations get a handle on their application estate and its vulnerability posture to ensure that it is actively reducing the attack surface of their estate.
The methodology of applying patches varies, though, with some organizations choosing to deploy patches straight into production while others choose to apply patches first into User Acceptance Testing (UAT) environments and then, once verified, move patches into their production environments.
The approach taken is usually determined by the severity and risk that a given vulnerability offers to an organization. However, if time is on your side, it's highly recommended to always deploy patches into non-productions environments first, to ensure that the patch does not negatively impact the systems environment. Things to look for here are functional and performance degradation on your system caused by patches.
How difficult can it be to patch enterprise software on a timely basis? As my colleague James Lee says: Very.
Veracode found that:
86% of high severity flaws go unpatched for 30 days or more in web applications
A stunning 26% [note: link opens in PDF] of respondents to a survey at the 2018 RSA Conference admitted they do not have time to patch applications
16% [note: link opens in PDF] of the same respondents say they do not have the skills
James goes on to remind us that "the CyberEdge Group reinforces the RSA findings: Teams do not patch known software flaws because of 'infrequent windows…for patching' and a 'lack of qualified personnel.'
While there are many reasons why organizations do not patch on a timely basis, there is one clear, new motivation to speed the patch cadence: 25 May 2018. That’s the day the European Union’s General Data Privacy Regulation (GDPR) became enforceable.
Under the GDPR, fines of up to €10 million EUR or 2 percent (2%) of an organization’s annual, global sales revenue – whichever is greater – can be assessed for failing to ensure security. Fines for more severe or repeat infractions may result in fines up to €20 million EUR or four percent (4%) annual global sales.
GDPR fines are designed to change behavior, not just appeal to enlightened self-interest. European regulators have already sent signals that they believe a failure to patch on a timely basis is an infraction under GDPR. For example, when issuing a fine against Carphone Warehouse for a breach, the United Kingdom’s Information Commissioner’s Office (ICO) cited a 'seriously inadequate' patching program."
Since the GDPR has become enforceable:
For a relatively modest breach of 500,000 Californians, the damage awards could total up to an eye-popping $375 million. The California law becomes enforceable in 2020.
The approach that organizations typically take to patching is to apply patches based on risk. We know that 94% of web applications suffer from high-severity vulnerabilities. Risk to an organization is easily measurable and as such it does make it more straightforward for organizations to prioritize what areas of their estate should be addressed first.
Oracle CEO Mark Hurd’s recent comments that their customers run months behind in applying the company’s patches adds another dimension to one of cybersecurity’s dirty little secrets: it takes a long time to apply software patches at the server level.
About Nollaig Heffernan
Nollaig Heffernan joined Waratek in 2010 where he was responsible for implementing and driving the Quality Assurance function for all products within Waratek. Today, he works very closely with the Sales & Marketing teams to ensure new business development is realised and that the Waratek name and product set is always associated with excellence.