A survey of IT professionals undertaken last year showed more than half of them struggle to keep up with patch management. Because of the sheer volume of updates, more than 60% reported they sometimes have difficulties knowing which patches need to be applied to which system, leading to confusion over whether or not the system was vulnerable.
What is a patch?
Computer coding is inherently insecure. It’s often written by multiple people, and quite often code is reused, all of which means that, inevitably, holes will appear, leaving the entire system open to hackers. A patch is the extra code created to repair the hole which users can install via updates.
Who finds the holes?
Hackers are divided into two groups: White Hat Hackers and Black Hat Hackers (it’s a cowboy thing). Both groups are looking for unpatched holes, but the difference is that the Black Hats are searching for them with malicious intent. As soon as the White Hats – who are either professional hackers or hobbyists – find a vulnerability in a system, they will inform the vendor, giving them the chance to create a patch before the Black Hats find the hole and exploit it.
White Hat Hackers will also produce vulnerability reports called CVEs (Common Vulnerabilities and Exposures), partly to encourage the vendor to take action on the hole and partly to share the information (and partly to ensure everyone knows who they are).
Why is patch management such a problem?
Basically, people become overwhelmed with the number of patches being released and the number of platforms they apply to. The easiest to manage are the Microsoft patches as their latest updates are released altogether on the second Tuesday of every month and cover all of their products; although in 2015, Microsoft still had to release 535 patches. Other companies, like Adobe, iTunes etc, produce separate updates for each of their products and release them immediately. This sometimes means that patches are being released on a daily basis.
If your IT department consists of just one or two members of staff, they could easily end up spending all their time managing patches. If they don’t have access to expensive automated distribution tools, their entire time could be taken up installing updates and making sure they have been installed on every computer in the building.
Why should patch management be outsourced?
Patch management is a mundane and time-consuming process. Without the advantage of automated distribution tools, IT departments struggle to keep up with the quantity of patches being released all the time. Often, patch management ends up being neglected, leaving the system ever more vulnerable. In addition, there are sometimes problems with the patches which have been known to cause system failure, meaning even more headaches for over-stretched IT staff.
Given the amount of time patch management takes, outsourcing it makes sense. Outsourced IT companies have the advantage of economies of scale and can not only automate the process, but also spend time testing the updates before updating clients’ systems.
At Lumina Technologies, we review all the CVEs to understand what is being patched and why. We will always spend a few days testing the patches in our laboratory, closely monitoring the results before installing the patches on to our clients’ systems. We will then run reports to ensure that all the patches are properly installed on all their computers.