All the big hacker headlines these days involve major breaches and theft. One of this year's biggest stories was the recently disclosed theft of a stunning $1 billion from banks thanks to a group of hackers wielding malware and social engineering skills.
The action is what gets all the attention, not the vulnerabilities that allowed the action.
The most serious and neglected vulnerability is lack of patching. Nine out of ten successful hacks are waged against unpatched computers.
Anti-virus/anti-malware is absolutely critical. But these tools only block known attacks. More and more hackers go after vulnerabilities that haven't been discovered, or if found, haven't yet been plugged.
Here is the scenario. A hacker discovers a flaw and crafts or cobbles code to exploit it. Or a security researcher publishes the detail of the flaw. Either way, the vendor rushes out a patch and most think all is well.
Those that quickly and perfectly installed the patched dodged a bullet. The problem is that a minority of shops fall into this category. Little more than a third of small businesses regularly patch their systems, or so says a survey by the Federation of Small Business in the UK.
The patch itself is a roadmap for a successful exploit. Once released, hackers craft exploits that go after the hole the patch is intended to fix, knowing that not all shops will install the patch, and those that do may not hit all computers. The machines that aren't patched are sitting ducks for hackers.
Some shops are great at patching Windows and other Microsoft tools and applications. This is all thanks to Patch Tuesday, the second Tuesday of every month when Microsoft releases fixes.
Unfortunately, not all of these fixes get installed. Even worse, Microsoft may be the least of your patch worries.
Why is patching so sparse?
Patching is not 100% for several reasons. Unpatched computers are not always seen as a vulnerability concern. And patching, without the proper tools, is time consuming, costly and difficult.
"Customers may shy away from addressing regular patching or overdue software upgrades because they have concerns about price, time, or complexity. However, based on our conversations with customers, an 'only as-needed' approach to software support is short-sighted, and could expose customers to security and compliance risks, not to mention losses in employee productivity and business revenue depending on the software involved," wrote Ovum analyst John Madden in his "Avoiding security risks with regular patching and support services" report.
Besides patching, Madden also suggests using the latest versions of key software products. Windows XP, for instance, is now famously unsupported. "In some instances, customers are using older product versions that are no longer supported or patched, so an upgrade is the most effective way to make sure their patching program, and their overall security profile, is optimal," Ovum argued.
Pressing patching concerns
While it doesn't usually make headlines, patching is more critical than ever. Two factors make proper patching critical. First, hackers are more sophisticated than ever, and they now include state-sponsored hacking groups and organized crime.
And there are more and more apps installed in today's shops, apps of increasing complexity, and large attack vectors.
Don't take my word for it. Gartner research also bears the notion out. "In the darkest woods of IT, patching third-party applications on a desktop remains a significant challenge for many organizations. Patching server OSs (Windows and Linux/UNIX) and third-party server applications also remains challenging due to fragility of many server environments. Add virtualization to the mix – and you have a full-blown slow-cooking disaster. And then you have Java…a security disaster in a league of its own," wrote Gartner analyst Anton Chuvakin in a recent blog. "Java, Adobe Reader and Flash, Firefox, Oracle fat clients as well as many vertical and business-specific applications are often patched MUCH later than Windows and Office."
Worst Offenders include Oracle and Adobe
Microsoft has its fair share of patches, sometimes releasing over a dozen on Patch Tuesday. The good news is that many Windows client patches are installed automatically through Windows Update – provided your copy of Windows is legitimate and relatively up to date.
And Windows Software Update Servicers (WSUS) does a decent, if not fully automated, job of deploying server fixes.
The big new offenders are Oracle (Java in particular), Adobe, and even Apple with QuickTime and iTunes. In fact, Oracle has been known to release well over 100 patches in a single batch.
The answer: Get organized, go multi-platform, and automate
In the early days of patching, IT shops used an entirely manual process or built their own patching tools. Neither approach can keep up with the growing patch onslaught or the increasingly multi-platform nature of the problem.
The first step is to make sure your staff is organized to patch properly. Who is responsible and how are they held accountable?
Next up, conduct an inventory so you know what you have to patch, and be sure this process is regularly repeatable or that new machines and bits of software are automatically discovered.
Finally, look for tools that can automate the patch process, patch multiple machines, OSes, apps and tools, and that can track and report deeply on patch status.