Cyber Essentials outlines 5 basic steps to secure an IT environment, installing updates (Yes, Microsoft & third-party) is one of them.
Definition of a patch
I was on a training course earlier this year where we discussed the origin of the word patching and why we use it in a Cyber Security context, you know, one of those discussions to avoid doing the training! Thinking back, it does seem a little strange and perhaps a confusing term, so let’s dive in.
The etymology of the word “patch” from our good friend Wikipedia;
“A piece of cloth, or other suitable material, sewed or otherwise fixed upon a garment to repair or strengthen it, especially upon an old garment to cover a hole.”
We replace a few words, creatively and we get;
“A piece of C++, or other suitable code, substituted or otherwise added to a program to repair or strengthen it, especially upon an old program to cover a vulnerability.”
Okay, just a little fun and not a particularly great definition. You’re not likely to find it in any computer science books soon, but you get what I’m trying to say.
That’s where the term comes from, but what does it mean to us?
A vendor spends time, money and energy in creating an application, packages it all together in a shiny box and puts it in the shop window ready for sale. The product gets traction, and people start to buy. They’ve kindly agreed that every product they sell will be kept secure for as long as you use it, how nice!
As time goes on and interest piques the security community turns its beady eye to the code. Uh-oh, and you’ll see this term everywhere, there’s a vulnerability that COULD lead to remote code execution. Could is my favourite word in that sentence, makes the event sound unlikely but the likelihood depends on someone trying it rather than the possibility of it succeeding, crazy times.
So, this is where it gets critical to understand why patching is essential. When the security community uncovers said weakness, they notify the vendor, agree a time window for the disclosure to the public domain and collect their agreed bounty (yes, it’s paid work).
The time window is crucial here. It gives the vendor a deadline to deliver a working patch for the application before the vulnerability becomes known across the broader IT community. Typically they meet the agreed deadline, and the vendor releases a patch alongside a statement/description of the vulnerability it intends to fix. If you’re an avid bzb social media follower, you’d have seen us post these statements when they’re particularly painful.
Why you must deploy within 14 days
The Cyber Essentials standard states you need to deploy critical patches within 14 days, in the words of the UK Government “we’re following the science” on that one (Loughborough University produced the time window from modelling I believe).
Let’s put ourselves in a situation that occurs every time a vulnerability is disclosed. The patch is released, the vendor has told every man and his dog about the vulnerability. You need to deploy the update to fix it, and the underground world of the darkweb, malicious actors, deep web or whatever marketing term they’re given these days has been notified.
The race is on. Can you deploy the patch quicker than they can create computer code to exploit the vulnerability? They do also need to find your system and run it against your application (the COULD earlier).
The 14-day guideline is based on how long it takes to perform the latter of the above operation. In reality, because patching is so poorly done, we take on IT systems that haven’t had updates for 3 years, mental.
The sophistication of ransomware varies according to the program and quite frankly out of the scope of this post. What’s important to mention is that different strains of malware exploit different vulnerabilities, we all need to make sure we’re following a good basic standard to prevent them.
In all honesty, even IT companies find this part hard, and it’s the reason it doesn’t get done. We’ve gone to great lengths (it’s not been easy) to create a product that genuinely monitors and automates update installation. Still, even with that, we spend a lot of time manually intervening and fixing deployment issues.
You can configure Windows to automate the installation of Windows Updates, but that doesn’t cover if there are issues or even touch third-party patches, you’re meant to use SCCM for that.
If you’re technically minded and looking for a low-cost option (I say low cost because of the time investment), Manage Engine’s Desktop Central product is free for under 50 devices, but I wouldn’t touch it with a barge pole.
For me, the how is to get an expert to do it for you. If you’re already using an expert, please please don’t just trust they’re doing it. Ask for a Nessus Credentialed Patch report for your estate, if they won’t, do it yourself or get a third-party to do it for you, the license is free if you’re scanning under 16 devices!
If you're unsure on any of the above, happy to clarifiy just get in touch ???
Like what you've read and want more? Get our advice delivered straight to your inbox, we promise it wont be overwhelming!
About the Author
Sam loves everything networking, more specifically anything Cisco! He’s certified to Network Professional level and if you happen to find him without a self study book in hand, he’ll likely be playing cricket, football or in the gym.