MISSION CRITICAL - DO NOT PATCH

 

Only 31% of companies are running the latest Windows operating system, with 60% running Windows versions that are no longer supported (Automox, 2017). This alone triples the risk of a cyber-attack. In my 20 years of working in IT and Engineering, I have ran into systems that were deemed “too valuable” to patch. Systems such as important database servers or systems that were critical to military operations were many times given a “do not patch” policy and the company accepted this risk. These are not acceptable risks, because it’s often not if, but when the system is compromised (Coleman, 2019). While illogical, many companies accept that the risk of a data breach will be less costly than that of the downtime required to upgrade, or patch the systems. According to Automox, 2017, this usually comes down to a few factors:

1.      There are too many patches to keep up with
2.      Patching is a manual, time consuming process
3.      Lack of resources
4.      Some applications can’t be patched internally
5.      End user resistance
6.      Risk of creating additional problems or bringing the network down
7.      The system is too critical to lose
8.      Downtime is not acceptable

9.      The system is so old there is no known baseline configuration to fall back on

It is highly advisable to keep all systems up to date on patches. In the event that this is not an option, there are a few ways to mitigate the vulnerabilities. The first is to run an internal audit on the system to assess potential threat vectors and to define the level of risk (Coleman, 2019). Second, remove unnecessary connections to the system; being connected to the web is a top reason for malware infections and attacks. Third, implement hardware based security via a data diode or a similar device that physically enforces the one-way flow of data. Fourth, heavily inspect external media, impose antivirus scans, hash checksums, and file authentication. Lastly, institute a strong cybersecurity training policy for the users of the system. All the preventative measures in the world won’t protect against human error and the unknown introduction of risk (Coleman, 2019).

There are also third party applications that can take the hassle and risk of patching out of the companies hands. Automox is a modern, cloud-native patch management solution that closes the attack level by 80% with half the level of effort of traditional solutions (Automox, 2017). Automox can enforce OS, third party management, security configurations, and custom scripting across Windows, Linux, and Mac operating systems, drastically reducing the level of risk associated with these more vulnerable systems.

My team actually implemented patching on systems that were previously deemed “un-patchable” by:

·        Migrating the physical servers to virtual servers

·        Taking a full snapshot of the virtual system

·        Patching the system

·        Staggered the system reboots so that there were no unexpected reboots or downtime

Because the systems were migrated to a virtual solution, we were able to create scheduled snapshots to capture the full image of the system. This mitigated the risk that if the system ran into problems, we would be able to easily revert to snapshot and bring the server back to a known good state. I would like to add that after we implemented the patching process on these “legacy” servers, not one of them were brought down unexpectedly due to patching. So in this case, and many others, the fear alone of possible downtown is and was very much unwarranted.

 

References

Automox. (2017, August 10). 6 reasons why companies don't Patch. Automox. Retrieved March 23, 2022, from https://www.automox.com/blog/6-reasons-companies-dont-patch

Coleman, S. (2019, September). What if you can't patch? WHAT IF YOU CAN'T PATCH? – Cyber Security Review. Retrieved March 23, 2022, from https://www.cybersecurity-review.com/what-if-you-cant-patch/