In wake of recent attacks, it’s time to revisit your patch policy

revisit patch policyHurricanes hammered the United States last month and cyber attacks continue to rain down throughout the world. The EternalBlue v1SMB vulnerability continues to be a focus of attacks.

Recent announcements include the introduction of a banking system Trojan in Europe and Japan, and a complex hotel reservation system attack in Europe and the Middle East. In both situations, the objective of the attack was to collect a user’s login and password credentials.

Here in the US, the recent Equifax security breach is dominating the security news. Details are continuing to emerge, but there was a clear breakdown of security process that affected 145 million people. The exploited vulnerability was in the Apache Struts application used on the company web portal. A patch for this vulnerability was released on March 6th; the first indication Equifax had a problem was not reported internally until May. Equifax had a quarterly patch policy in place, which clearly let them down.

My recommendation this month is to revisit your patch policy. Considering these recent events, think about the level of risk you are willing to accept for both your critical and non-critical systems.

If you are running a quarterly patch cycle, are you willing to run with unpatched systems for up to three months when the next patch cycle begins? It may be that you have mitigating controls in place, but at least think about the implications. The vendors have been doing a much better job responding to reported vulnerabilities in their software. Now it is up to us as security professionals to make sure we patch and protect our systems in a timely manner.

October forecast:

  • Expect the usual Microsoft OS updates this month. After the huge release for Office last month (51 KB articles) and the .NET release, we’re hoping for a small number of patches beyond the regular OS updates.
  • Mozilla just released a new major version of Firefox in the past week, so we probably will not see a new version next week.
  • History tends to repeat itself, so we should expect an update to Adobe Flash as usual.
  • October is an Oracle CPU. They update quarterly and this is the month, so Tuesday the 17th Oracle will release updates for all their software including Java. We may see an announcement on the future of Solaris and SPARC support as well. Oracle had a major layoff of those software and hardware employees the beginning of September.

Don't miss