Companies still overlook patch management, one of the basics of cyber security

Microsoft recently released a rare security update to patch a vulnerability in all versions of its Windows Server software. The company acknowledged that attackers had already exploited the vulnerability.

Similarly, in February of this year, Apple rushed the release of a patch for a “shockingly overlooked” encryption issue that left iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack. Left untreated, this vulnerability would have enabled hackers to intercept and alter communications such as email and login credentials for countless Apple users.

Any software is prone to technical vulnerabilities. Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cyber criminals.

Content management systems like WordPress have become popular targets for hackers because flaws in those systems can be leveraged for attacks across millions of websites. Hackers are compromising WordPress websites as the first step of a larger attack.

Just this week, a WordPress patch was released that enables an attacker to exploit a vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings, comments can be entered by anyone without authentication. The flaw is extremely easy to exploit, according to experts.

Microsoft states on their website “the unfortunate reality about software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed tomorrow.”

Patch management is a strategy for managing patches or upgrades for software applications and technologies. A robust patch management plan can help you handle these changes. Patches can fix existing problems with software that are discovered after the initial release, and can help avoid risks to your systems and network infrastructure.

Research suggests that although companies may implement advanced IT security solutions, they still neglect the basics of good security, such as patch management. A survey by Kaspersky Lab in November 2012 shows that only 35% of companies use technology to automatically install updates.

A comprehensive security strategy includes automated, centralised patch management software designed to handle a multitude of patches issued by multiple vendors at different times.  This type of approach should support a system that performs the necessary tests before applying patches, and the tools to conduct software audits on a regular basis.

Patch management should be a fundamental component of any comprehensive security solution. Taking a proactive approach to patch management will reduce or eliminate the potential for exploitation, and involve considerably less time and effort than responding after a vulnerability has been exploited.

Patch management is one of the five pillars of Cyber Essentials, the UK Government-driven certification scheme aimed at heightening the state of cyber security among large and small businesses alike. The UK Government now requires organisations tendering for certain contracts to provide evidence of a Cyber Essentials certification.

For as little as £300, IT Governance offers an automated solution to applying for Cyber Essentials certification, via its unique new CyberComply portal.

CyberEssentials-Certification-CREST