When organizations update or patch software, decisions have to be made about which code changes to install within the network to improve systems and/or fix security vulnerabilities. For IT administrators, prioritizing and scheduling upgrades can be a tall but necessary order. They also need to get their teams on board, because patching or updating systems can slow production while workstations are restarted, and employees frequently see pop-up windows instigating a restart for their computers to perform the upgrade. There are also growing concerns among security teams that attackers might inject malicious software onto the network during upgrade periods or trick end users, as recently seen with cryptomining malware that was thought to be an Adobe flash update.
Updating software helps organizations remedy certain vulnerabilities or bugs, improve workstation performance and introduce new features. The Petya attack in 2017 raised awareness of the dangers of not patching or updating software. Yet somehow even with inherent benefits and recently heightened awareness, 44 percent of organizations today say it still takes weeks to apply security patches; with 30 percent reporting that it takes a month or longer to do so.
Despite the potential operational burdens and growing concerns of attackers targeting software updates as a network entry point, staying current with patches is both critical as well as a recommended best practice.
As organizations continue to improve their ability to programmatically upgrade and patch software, attackers are in turn getting stealthier. In organizations where end users and IT teams typically opt to update and patch software promptly, attackers have predictably adapted their strategies to counter this move. Often, they will target software updates with an effort to get in and create backdoor access, spread malware and/or just generally wreak havoc. In short, attackers refined the ways they can install malware or inject malicious software into endpoints during updates and patches. A potential path could involve sending a phishing mail that prompts an unsuspecting user to install a fake update and install malware on their system. For example, a 2018 campaign dubbed “Fake Updates” spread bogus patches for software such as Google Chrome, Mozilla Firefox, Internet Explorer and Adobe Flash Player.
Now might be the time that you ask, “Why bother updating software if attackers are going to try to get into my organization that way?” It bears repeating that regular software updates are critical to risk reduction. In choosing to ignore this, organizations will find themselves with a mixed and matched network comprised of legacy and modern versions of software; which has been proven time and time again to be very risky. That’s why it’s so crucial to not only have a strategy in place to consistently upgrade and patch your systems, but to also do so in a secure, controlled way.
There are three steps that every organization should take in order to safely patch their software.
- First, identifying and establishing a patch management process helps to reduce the security vulnerabilities associated with unpatched software. It is recommended that security teams document and standardize patching by writing down repeatable steps and processes for how the organization will address software updates and patches.
- Second, organizations should use application whitelisting to prevent attackers from misleading people into downloading “fake” or malicious patches that spread throughout the organization.
- And finally, deploying upgrades in test environments to ensure safety is also critical because it allows security teams to check and verify that patches are safe to rollout to the entire team.
Maintaining security and operational use during patching supports a successful program, but it can be difficult to find tools and strategies that provide both components. CyberArk Endpoint Privilege Manager is typically deployed by organizations that want to protect against credential theft on endpoints and also want to protect against fake patches with application whitelisting. CyberArk Endpoint Privilege Manager creates application control and privilege elevation policies based on trusted sources such as SCCM (System Center Configuration Manager), software distributors, updaters and URLs, to name a few examples. This means that even if a user attempted to install a rogue software update, CyberArk Endpoint Privilege Manager would identify the patch as untrusted and not let it run.
Having tools in place to allow administrators and security teams to verify unknown applications and identify potentially dangerous malware is important to help reduce the risk and mitigate damage from anattack.
It may feel like you are stuck between a rock (call this operations) and a hard place (security), but we’re here to help. For more information on how to secure your most sensitive assets, including how to secure your organization’s endpoints, please click here or reach out to our team to discuss further.