Welcome to our Spring IT Security Update. Considering the Microsoft Exchange patch issues that have recently been in the tech news, in this quarter’s edition, Jamie thought that now would be the ideal time to look at patches in more detail, reminding you of their importance for your organisation’s data security.
Patch your network systems - or risk compromise and damage
First of all, what is a patch?
A patch is a software and operating system (OS) update that addresses security vulnerabilities within a program or product. Software vendors may choose to release updates to fix performance bugs, as well as provide enhanced security features.
In this edition I am going to focus on the security aspect of patching. It wouldn’t be much of an IT security article if I didn’t! I’m pleased to say that all our customers are on a regular patch management schedule, however, with the recent Microsoft Exchange patch issues that have dominated the tech news lately, I thought that now is a good time to explain why patching is so important.
When any new software is released, it is likely to be full of undiscovered security holes (vulnerabilities). Plenty of testing will have taken place pre-release, but nothing tests your wall of defences like the wider world.
If a hole is discovered (by the good guys), they will usually report it to the vendor and in some circumstances will receive a reward for finding it, based on the seriousness of the flaw. As soon as possible, the vendor then creates and releases a patch to address the issue in order to stop it becoming exploited out in the wider world.
If a hole is discovered (by the bad guys), reports will often start popping up in the news of infected IT systems and unexpected behaviour or malicious actions in the wider world. Often the exploit tools are leaked by the bad guys to more bad guys. More and more of them then hop aboard, trying to exploit as many susceptible systems as they can before a patch is released. The whole time this is going on, in the background the vendor is scrambling to write a patch and get it released as quickly as possible to prevent further infection.
Why is patching so important?
One of the problems for many organisations when it comes to patching is that they don’t understand the risks of not patching their systems. The most obvious benefit of patch management is heightened network security. If a system isn’t patched, then a company’s data is left exposed to data breaches and the stakes for these are high – the highest they have ever been. Ransomware, downtime, blackmail, fines, leaked data, damage to the business’s reputation, are all very much fighting for the top of that list. Therefore, applying a patch as quickly as possible lessens the risk to a business becoming attacked.
So, outside of understanding the importance of patching, why don’t businesses always want to engage in them?
Disruption. It is usually the top of the list for any organisation. No business wants to add disruption to its normal day to day working practises and they often make an excuse for ‘not getting round to it’, seeing it as a time-consuming process.
Another reason is fear. Applying patches requires stopping and then restarting the software, with some requiring a complete system reboot. This can result in issues when the system comes back up. Luckily patch testing has improved dramatically over the years, so this fear is often misguided. Never say never, but it is a far less evil than not patching. I deal with far more incidents on out-of-date machines than I do current patched ones!
Neither disruption nor fear is a licence to not patch. The security patch your computer just wanted to install was released for a reason, and it was not because the vendor was bored, it was most likely plugging a known exploited hole. So, don’t ignore any update messages, click install and remember this: Restarting when required = protection!
There are 2 examples I would like to mention with regards to patching.
Back in 2004, I reloaded my home PC with a copy of Windows XP. It was an original XP disk, with no service packs or updates included. I was planning to do them myself when it loaded up. Within minutes of it first loading into Windows, the machine was infected with the Sasser Worm. I had yet to do anything. I hadn’t even gone to Windows updates to start the update process. All the worm needed was for an unpatched machine to have internet access. (BBC NEWS | Technology | Sasser net worm affects millions)
The second is much more recent (welcome to 2021!) and this is still causing some businesses considerable pain and will carry on doing until every one of them patches or mitigates! Microsoft released a patch for their Exchange servers (2013, 2016 and 2019), but at the point they released the update, systems were being exploited at an alarming rate. It looked like the groups/individuals responsible were scanning the Internet for vulnerable systems and then dropping a backdoor into those systems to go back to later. The vulnerable Exchange servers didn’t need to do anything to become infected, just to exist and be running as expected without the new patch. Anyone who didn’t subsequently patch and remove the infected file(s) has found themselves (or will find themselves) victims of data theft and/or ransomware.
Microsoft has subsequently released an update for Exchange 2010, which although is not a supported Exchange build anymore, was still susceptible and highlights just how serious this one was.
So, to all you good people out there, the moral of the tale is - patch your work machines, your home machines, your mobiles… patch, patch, patch!
And if you have any questions or would like to know more about patching systems, please don’t hesitate to contact email@example.com or your account manager.