If you look back, patch management was not a cybersecurity issue. Rather, it’s an IT problem. It wasn’t until the advent of Code Red in 2001 that Microsoft began releasing patches to fill security holes in its software. With the emergence of massive Internet worms in 2009, 2011, and 2012 (including WannaCry in 2017), patch management as a security is once again taken seriously, which will shock the entire enterprise network. These events will set the stage for widespread enterprise adoption of regular patch management cycles. Until then, there have been sporadic security incidents, but no massive virus and malware spread across geographies.
As these massive attacks that infect entire networks across regions have become more common, the industry has turned to developing a system to classify and track these vulnerabilities. The first, created in 1999, was initially used by U.S. federal agencies at the recommendation of the National Institute of Standards and Technology, which published “Using the Common Vulnerability and Exposure (CVE) Vulnerability Naming Scheme” in 2002, and then in 2011 Its updated.However, mass use did not begin until 2011, with the first National Vulnerability Database (NVD).
NVD is a comprehensive cybersecurity vulnerability database that integrates all publicly available U.S. government vulnerability resources to provide industry reference. It is synchronized with and based on the CVE list, which uses a scoring system to assess the severity of risks. NVD becomes an effective tool for security organizations to track vulnerabilities and prioritize which ones to prioritize based on risk scores.
Beginning in 2011, patch management began to evolve into an industry-wide security best practice. However, as the number of vulnerabilities in databases continues to grow and the complexity of IT infrastructure increases, patch management will no longer be easy. It’s not always as simple as updating a piece of software. Some systems are mission critical and cannot afford disruption. Some organizations do not have the dedicated resources in terms of budget or talent to apply testing, deploy and install patches on a regular basis.
The creation of NVD is a huge first step in vulnerability and patch management for the industry. However, two emerging issues will lead to the complexities the industry encounters with patch management today. The first problem is time. There will always be delays. Once an attacker, researcher, or company identifies a vulnerability, the clock starts ticking. It’s a race against time, from when a vulnerability is disclosed, to when a patch is released, to when it is applied, to ensure that the vulnerability is not exploited by bad actors. Past delays have ranged from 15 to 60 days. Today, we only have a few weeks left.
But not every vulnerability has a solution. There is a common misconception that every vulnerability can be fixed with a patch, but this is not the case. Data Display, only 10% of known vulnerabilities can be covered by patch management.This means that the other 90% of known vulnerabilities cannot be patched, leaving organizations with two choices – either change Compensation control or fix the code.
The second problem is that NVD is basically weaponized by the bad guys. While it is designed to help organizations defend against threat actors, the same tools will be used to launch offensive attacks for a short period of time. In just the past five years, threat actors have improved their attack skills through the use of automation and machine learning. Today, they can quickly and easily scan unpatched systems against vulnerability data in NVD. The rise of automation and machine learning has enabled threat actors to quickly determine which software versions an organization is using to cross-check with NVD to determine what hasn’t been patched.
Now we have an asymmetrical war: organizations try to master patch management to ensure every vulnerability is fixed, while bad actors hunt for a vulnerability that hasn’t been patched. It all boils down to one missing patch. That’s all it takes for a security incident to happen. That’s why patch management is now a mandatory part of organizational security, not just the responsibility of the IT department.
Today, patch management is a mandatory practice to demonstrate compliance with security regulations. This is also a requirement for cyber insurance. With the rise of ransomware, including mission-critical hospital systems that can mean life and death, patch management is under scrutiny, and rightfully so. However, IT and security teams were stretched thin and unable to keep pace with the task. This is impossible for humans. The industry needs to find a new approach – automated patch management – which will be discussed in Part 2 of this series on patch management.
Part 2 of this series is scheduled for release on Wednesday, January 12th.
