Why do we have to patch?

Basically; it keeps your software up to date and as secure as possible.

Many businesses have a policy in place for patching in line with best practice data security measures. Any device connected to a business domain should be kept up to date to reduce threats from malware, worms, ransomware and many other threats. Keeping the policy up to date will reduce exposure to common threats on any device connected to a business.

The biggest patch updates are issued by Microsoft and are typically released on a Tuesday (usually the second Tuesday of the month). In our world, this is known as Patch Tuesday. But, just because Microsoft releases a patch, it doesn’t mean to say it is a ‘good’ patch and should be installed. There have been a few times when Microsoft (and other third-party vendors) have released bad patches that can cause business disruption if not dealt with correctly. This also goes for many third-party patches. We therefore do not install released patches straight away; we need to verify the patch is a good patch and meets the standards to be released and installed. Approved patches are installed between 48 hours to 14 days after release. Keeping systems up to date within a 14-day period is accepted as the norm.

Patch Testing

When we receive notification of a new patch being released, we first deploy it in our lab environment where it is installed on a suite of devices covering multiple brands at different stages of setup. We conduct numerous tests generating various diagnostic reports. These are analysed to identify any issues, and mitigation steps are put in place to avoid or remediate bad patches. We only allow verified patches to be installed to avoid any disruption to your business. Patches that fail our tests (bad patches) are not released for install.

Any device that belongs to an end-user, but is connected to a business network, is known as BYOD – Bring Your Own Device. It is the responsibility of the device’s owner to keep the device up to date. If it is not kept up to date, the business has the right to refuse access for that device to connect to their network. The business must put security at the forefront of its decision.

We adopt a flexible approach to patch management because clients have different time windows as to when patches can be installed. Some Microsoft patches require a system reboot which could be a problem for business critical systems that cannot experience any downtime. Knowing this in advance and having the patch policy documented allows us to schedule patch updates outside of business hours.

Occasionally vendors will notify us that a zero-day threat patch has been released.  These need to be installed as soon as possible to ensure any threats are reduced to a minimum. As an example, when the WannaCry ransomware attack hit business networks, security vendors released a patch within 24 hours.

If you are running Microsoft Windows 10, there are two types of patches:

A. Patches – The monthly patch updates that plug small gaps in your operation system.
B. Builds – this is typically a complete O/S upgrade (example 1806 up to 1809).

The majority of patches are small files that can be downloaded in the background without any interference to your connectivity and network. When there is a big release, we have a gateway policy in place to only download your patches outside of periods of high network activity to ensure business disruption is kept to a minimum.

 

If you have any questions around patches, updates or wider cyber security matters, please feel free to contact us.