With organizations today focusing their security efforts on ransomware detection, phishing prevention, and command and control monitoring, many tend to overlook one of the simplest, non-human security weaknesses:
While exploits to vulnerabilities on unpatched systems don’t cause as many breaches as phishing or social engineering do, they still cause nearly 10% (Verizon Breach Report). Keeping your systems up to date is a low-effort, high-value way to prevent a few unusual inbound scans from becoming a breach on national news.
Here are four ways to protect your organization against the threats of unpatched systems.
1. Take Inventory of Your Assets
Hackers often exploit corporate systems that were deployed at some point in time but were since forgotten about.
To locate and keep track of your various systems, you can use a Configuration Management Database (CMDB), asset inventory system, or vulnerability scanner. Systems not in use should be decommissioned or air-gapped on isolated networks.
Remember, you can’t keep your systems fully updated if you don’t know they exist.
2. Avoid End-of-Life Applications
Windows Server 2012 will reach end-of-life in October of 2023.
This means machines running Server 2012 will NOT receive any fixes or security updates after October, regardless of how critical they may be. This makes Server 2012 unsafe and insecure to use beyond that point. You should apply this logic to every system in your inventory.
All of your applications, network appliances, and operating systems should always be within their active support windows. For anything approaching end-of-life, plan to upgrade it to a supported version or move it to a strictly monitored or isolated environment where its business risk is well documented.
It may be worth a year-long effort to move those production disk operating systems (DOS) to something more modern.
3. Establish a Recurring Patching Cycle
Many commercial entities push new updates for actively maintained software products on the second Tuesday of each month, and mature vulnerability management teams tend to follow suit.
Consider lining up your own patch rollouts to coincide with, or fall right after, Patch Tuesdays, with a monthly Patch Wednesday or Patch Thursday. This will ensure that newly released updates are pushed out as soon as they become available and will limit the amount of time your systems are exposed.
Keeping your patch schedules consistent also means that downtime can be regularly worked around by all teams with minimal disruption.
4. Patch Systems by Business Risk and Vulnerability Severity
When researching updates, administrators tend to review the Common Vulnerabilities and Events (CVE) score. While it’s a great idea to work from highest severity to lowest, you should also consider your own unique business risks.
For instance, you may want to treat systems your business has deemed critical for continued operation (such as a domain controller or production application server) as higher priorities in your patching cycle than something like a workstation with limited network access.
Additionally, a vulnerability may be labeled moderately severe but have known exploits in the wild that are being leveraged against your peer organizations. In that case, it would make sense to patch this vulnerability ahead of “high” severity vulnerabilities with no known exploits.
However your team goes about it, you should always use the most updated, supported software and appliances possible.
Taking inventory of your systems, removing or updating those that are not in use or are approaching end-of-life, establishing a regular patching schedule, and prioritizing vulnerabilities that are high-risk are all great ways to protect yourself from future exploits.
At SP6, our team of engineers is trained in helping organizations migrate their data to the most modern, secure systems. Schedule a consultation with us today to find out how we can keep you safe from today’s most pressing attacks.
SP6 is a niche technology firm advising organizations on how to best leverage the combination of big data analytics and automation across distinct (3) practice areas:
Cybersecurity Operations and Cyber Risk Management (including automated security compliance and security maturity assessments)
Fraud detection and prevention
IT and DevOps Observability and Site Reliability
Each of these distinct domains is supported by SP6 team members with subject matter expertise in their respective disciplines. SP6 provides Professional Services as well as ongoing Co-Managed Services in each of these solution areas. We also assist organizations in their evaluation and acquisition of appropriate technology tools and solutions. SP6 operates across North America and Europe.