6 Software Patch Management Mistakes (and How to Fix Them)

This blog post is in partnership with LMG Security. With professional hackers and cybersecurity criminals posing a constant threat to law firms big and small, the reality is that your firm’s sensitive data will always be a target. The good news? This risk can be averted by a few simple and cost-effective security strategies which you’ll learn in this CLE Cybersecurity Academy presented in partnership with LMG Security. 

Hackers spent 2021 wreaking havoc by exploiting software vulnerabilities. From the recent Log4Shell exploit to a series of Microsoft Exchange vulnerabilities – which hackers have leveraged to deploy ransomware, steal emails, and more — to the Kaseya ransomware attacks that spread throughout the globe, the damage caused by software exploits has been immense. (Here are summaries and next step checklists for the Log4Shell and the Exchange vulnerabilities.)

Even the Equifax breach—one of the largest in US history that exposed personal data for 143 million people—resulted from an unpatched vulnerability. According to Equifax, criminals exploited an unpatched web application vulnerability for which a patch was released two months prior to the attack. This massive breach could have been avoided if Equifax had promptly patched its software.

How Safe is Your Organization?

All too often, patches are available and not deployed due to time, budget, personnel, or technical issues.  According to a survey conducted by the Ponemon Institute, 42% of the respondents that had been breached stated that the cause was a known, unpatched vulnerability for which a patch was available but not applied.

To compound the problem, patch management risks aren’t limited to YOUR environment. Criminals can also leverage unpatched vulnerabilities in your vendors’ environments—and your data is at risk. For example, in December of 2020, Florida Healthy Kids Corporation was informed that due to an unpatched vulnerability in their web hosting provider’s environment, criminals had access to the protected health information for 3.5 million of their applicants. It’s clear that patch management is crucial for your business and that your leadership team should ensure that you have a well-thought-out plan to minimize your risks.

Avoiding 6 Common Software Patch Management Mistakes

The good (and bad) news is that many software-related hacks could easily have been prevented with proper patch management. Read on to hear about six common software patch management mistakes, and how you can successfully address them and protect your organization.

Mistake #1: Not Knowing What to Patch

Everybody knows to patch your operating systems—but what about those pesky third-party applications, or software deployed by your vendors? As you can see in the example above, one unpatched vulnerability in a vendor’s system can lead to a major breach. The 2020 Ponemon Institute survey also found that over a six-month period, the average organization had a backlog of 57,555 identified, unpatched vulnerabilities. If you calculate that average backlog by the number of vendors with access to your environment, the numbers get scary. How can you reduce these risks?

• Start by maintaining an inventory of your software. This will help you understand the scope of work and the resources you will need.
• Prioritize your software patching based on the level of access to sensitive data, the criticality of the vulnerability, and the risk that it represents.
• Understand and minimize the risk from your suppliers. Read this Supply Chain Security Checklist for tips on how to vet your vendors and reduce this risk.

Mistake #2: Patching Too Slowly

Many organizations have monthly or bimonthly patching cycles. The problem is that when a critical vulnerability is announced, hackers may actively try to exploit your server within hours or days, not weeks. Other organizations are struggling with resource constraints that cause even longer backlogs for patching. This increases the risk that by the time you patch, you may have already been hacked.

• Discuss ahead of time how to handle critical patches for different software types. Carefully consider the risks of waiting versus the time needed to fully test and deploy a patch.
• Document your standard patch time frames and audit routinely to make sure you are meeting your goals
• Set up automated patch management in order to ensure that your myriad applications are patched consistently and quickly. This can save your organization time and money, as well as reduce your risk of exploitation.

Mistake #3: Ignoring Outdated Software 

You may have software on your network that is so outdated that the vendor no longer releases patches—meaning these systems are highly vulnerable to attack. Many organizations throw up their hands and decide there’s nothing they can do. This situation is all too common, particularly in environments when you rely on specialized vendor software. Here are some strategies that can help:

• Track your outdated software in a central asset management database.
• Regularly review the use of these systems and determine whether you can decommission or replace them with more modern software.
• Place outdated operating systems on their own, isolated network segment with very limited traffic. This will reduce the risk of compromise.

Mistake #4: It’s Never a Good Time

Many organizations don’t apply patches regularly because it is difficult (or even impossible) to find a good time to apply patches and restart critical systems. Try these tips:

• Make sure you architect your infrastructure to have redundancy. Ideally, you should be able to reboot a critical system in order to install a patch without impacting the business.
• Prioritize regular patch deployment. If downtime is required, it is better when it is planned, as opposed to an emergency due to a cybersecurity incident.

Mistake #5: Fear of “Breaking Something”

Even the most well-tested patch deployments can cause problems, particularly in complex environments. Fear of “breaking something” can cause system administrators to delay patching. You can reduce this challenge if you:

• Develop and implement a software patch test plan whenever possible to increase the likelihood of successful deployment
• Have a strategy for rolling back patches quickly in the event that a patch impacts system functionality

Mistake #6: Not Monitoring Patch Status

Patches don’t always install properly, leading to data breaches, ransomware attacks, and other consequences. Minimize your risk by taking these actions:

• Routinely check your systems’ patch status using automated patch management software.
• Ensure your team is notified of both successful and failed patch deployments.
• Assign responsibility for following up on failed patch deployments in a timely manner, and regularly auditing this work.

Patch management is a crucial part of your cybersecurity foundation, and it’s one that frequently gets less attention than it deserves due to time and resource issues. If you need help implementing effective patch management or verifying that critical patches have been correctly applied, LMG Security can help.