This year we have seen an average of ten updates a month from Microsoft alone. Team this with Adobe having one to two bulletins a month and a number of subsequent updates from third parties including Oracle, Google, and Apple, there hasn’t been a month so far in 2016 where you have less than 14 bulletins to test and update!
In anticipation of the law of averages holding true, I have prepared the following quick tips to aid you through these bulletins:
- Not all patches are created equally and vendor severity isn’t always the best way to prioritise what order you should emphasise testing. So here is a high level criterion for further vetting a bulletin:
- Metasploit – Exploit proof of concept within Metasploit (software to aid penetration testing) – If someone is teaching the bad guys how to use the exploit, get it patched first!
- Zero Day – It is critical to identify any exploits that have been detected in the wild before the vendor releases an update, as this should be a top priority.
- Public Disclosure – You must take into consideration when example code or significant information regarding a vulnerability has been exposed to the public, as this gives attackers an advantage.
- Profiling by CVSS – This is a national vulnerability database designed to help prioritise remediation activities that will help you calculate the severity of vulnerabilities found in your systems.
- Apply updates that fit the above criteria quickly! If exploit code is available or a Zero Day has been identified, ‘ASAP’ is your window for opportunity. Public disclosures and those fitting the CVSS profile give you about two weeks before the first exploits may start to occur.
- 50% of vulnerabilities exploited occur within 2-4 weeks of an update release.
- 90% of vulnerabilities exploited occur by 40-60 days of a software update release.
- The average enterprise can take up to 120 days to deploy vendor updates, so consideration must be placed on the prioritisation of update roll out.
- Start with the end user’s systems. Phishing exploits are on the rise and the user is the best target to form a beachhead where an attacker can start a persistent attack on your environment. Therefore, we recommend that your end user machines should be patched in less than 14 days.
- We recommend weekly patching to keep up with the updates that occur between Patch Tuesdays. Within the LANDESK family we release content nearly every day of every week releasing new updates for over 100 non Microsoft Product Families and Microsoft Products. Enterprises should consider implementation strategies such as these to manage and effectively react to the monthly patch Tuesday update.
Understandably it can prove complex to navigate your organisation through Microsoft’s patch update series, however I cannot emphasise enough its importance for the security and the efficiency of your workforce. Hopefully the above tips can provide some clarity in relation to the bulletins and allow you to effectively manage patching updates in the future.
Chris Goettl is Program Product Manager/Product Owner at LANDESK Software