When a child goes near something hot, a parent will warn them not to touch it. But of course, if the warnings aren’t heeded, the child may get burned. With repetition, the message eventually sinks in and behavior changes.
The message to patch has been repeated many times. There is a seemingly unending litany of examples where this has not happened.
Regulators are considering how best to ensure adequately maintained security, along with privileged access monitoring, protecting data in the cloud are also hot topics high on their agenda.
Of course, none of this is news to us. We have been living in this world of patch-Tuesday-compromize-Wednesday for some time, and yet many organizations are still not embracing patching. Certain infrastructure may even never be patched on the grounds of stability. One CEO I met ranked their list of IT priorities under: Security, Reliability and Features. If only all boards and execs did that.
The patching world 10 years ago
As I interact with people at events and dinners, I look around and see people that want to do the right thing. They know they need to patch. They know they need to implement Privileged Session Management. Yet ask those same people if they are happy with the level of patching within their organizations and they will either avoid the question or laugh at this apparent joke.
Think back to 10 years ago in the consumer patching world, unpatched home computers were getting compromised within minutes of being placed on an always-on broadband connection. They would be turned into unwitting participants in bot nets or have key loggers installed to try and capture online banking credentials.
Fast forward to today, those same consumer PCs are the most patched and up to date that they can be. So what happened? The patching became default. Automatically updated every week and every day for virus definitions, without the user having to do anything, other than the occasional reboot.
Over that same time period, corporate computers have not changed. If we leave aside the cloud for the moment, then the way that corporate desktops get patched is the same as it was 10 years ago. Sure, the packaging deployment systems may have evolved, but fundamentally no organisation (that I know of at least) defaults to installing all patches as soon as they come out.
When I ask people why they don’t just install all patches they say “stability”. But if I go back to the insightful CEO and follow their order, stability or reliability would come after security. I believe that order is correct. However I also believe you don’t have to shoot yourself in the foot just for security.
Default 1/10th of all of your desktops to patch within a day or two, and the rest automatically over the next week. Within a week you would have all desktops patched. Obviously you would need to invest in automation, processes and people. But the cost is far less than having to clean up WannaCry or play whack a mole to remove something once inside a corporate network.
But what about the servers I hear you cry? My simple answer – Do the same. The two best defences you can have for free are these. Patch and reboot. Patch within days, reboot weekly.
Suggest this to your IT department and they will probably come up with a hundred reasons why not, or some edge case systems that it wouldn’t work for. In one of my previous blogs I talked about ‘ default to yes’ . IT helps them find the one way it could work, instead of focusing on the many reasons it won’t. If you can get them to a position where you don’t have to worry about patching on 80% of the estate, then their precious time can be spent focusing on the 20% that really need it.
Conclusion – what the world holds for IT security
I started this by saying we are winning battles and not the war. We are managing internal IT wrong. We continue to do it how we always have, and we’ve failed to heed the lessons of others, so we continue to do the same thing and expect different results.
Ask your teams who test the patches when the last time there was an issue with a patch. I don’t mean a major operating system upgrade, or a major package upgrade, rather a weekly or monthly security patch. When I asked this question I was shocked at the answer. I was expecting it to be low, in the 5-10% region, but they couldn’t think of anything since 2012.
When you think about your internal IT, think about how the cloud can influence your behavior. Can you imagine a cloud vendor testing every one of their customer’s setup against the latest OS patch? No. They just patch it and give you the tools to manage. The more we decouple the platform from the product the better and easier this will be.
For more information on winning the IT security war, download the “Privileged Identity Theft” whitepaper here.
Adrian has been working in Information Security for 16 years of his 21 years working in technology. He classes himself as a technologist that specializes in Security. Working now as London Stock Exchange Group CISO having just been HSBC’s CISO where he was in charge of all IT security globally for two years. He has worked in many industries and companies, bringing his unique brand of security that puts the business first.
Prior to HSBC Adrian was Executive in Residence at Accel Partners (London) helping and advising startups. CISO at Skype for 5 years where web scale and big-data was one of the most challenging environments to apply security to. Betfair, Man Group, Barclays Capital, BAA, BA, are just some of the other companies he has worked for across high tech and financial sectors. He holds a Masters in Information Security from the University of London.