Patching Takes More than a Fortnight for Many Firms

Patching Takes More than a Fortnight for Many Firms

The major WannaCry and NotPetya ransomware outbreaks of 2017 appear to have had little if no impact on organizations’ approaching to patching, with visibility into systems still crucially missing in many cases, according to Ivanti.

The endpoint security firm polled 130 IT professionals at VMworld Europe last year to better understand their key challenges.

However, despite the highly disruptive ransomware campaigns of May and June 2017, the percentage of respondents with a patch management policy in place was the same as the 2016 figure: 80%.

This is despite WannaCry in particular causing chaos across the globe when it struck, exploiting a Windows SMB vulnerability which was already patched by Microsoft.

The NHS was caught out to devastating effect, with an estimated 19,000 operations and appointments said to have been cancelled as a result.

Compounding the problem, 70% of the IT professionals Ivanti spoke said they either do not have complete visibility into their systems or don’t know if they have the right tools to do so.

Patching is a major undertaking for many organizations, with almost half (49%) of respondents claiming they take more than two weeks to do so, while 20% take more than a month.

Microsoft systems were pegged by the vast majority (72%) of respondents as representing the most consistent patching challenge.

Ivanti director of product management, Chris Goettl, explained that Microsoft’s recent move to cumulative patch roll-ups for Windows 10 and Server 2016 has created new problems for IT admins.

First, it bundles all security and non-security updates together, with no ability to separate. This causes issues in some mission critical environments where an entire month’s update round may have to be postponed because of issues with individual fixes, he told Infosecurity.

“Some companies we speak to regularly on our webinars were asking after the same issue for two or three months and had to make the choice to update and break critical systems or defer all Windows updates until the issue was resolved”, Goettl continued. 

“In light of vulnerabilities that lead to global cyber-attacks like WannaCry and NotPetya this is a pretty big concern as time to patch is becoming more critical. Adding to this issue is the constant growth of these updates.”

Innovations like Express and Delta updates have helped, but come with their own challenges, he argued.

Another challenge is branch upgrades every 18 months, requiring a 4GB OS redeployment each time, plus testing and roll-out, said Goettl.

Finally, Microsoft has created extra challenges for organizations running pre-Windows 10 systems in applying the same Cumulative Rollup model, but without the Delta/Express update features. This is compounded by the growing size of updates for Windows 7, which Goettl claimed could reach 600MB per month over time.

“One silver lining with the pre-Windows 10 updates is that Microsoft introduced a Security Only Bundle so companies can take in the security updates for the month and even separate IE and the OS into two updates giving a little more control and flexibility for breakfix situations. It also made the size issue more manageable”, he explained.

“The challenge here is unless you have a system that can handle giving you one or the other consistently it is a bit challenging to manage. Most companies have to do some scripting or manual effort each month if they want to utilize the Security Only Bundle vs the Cumulative Rollup.”

On a more positive note, the research found that just 13% of organizations claimed they allow employees to have administrator rights, down from 55% last year.

However, tools that provide Just In Time (JIT) administration (14%) and Just Enough Administration (JEA) (5%) are far from common, representing something of a missed opportunity for managing privileged access securely.

Source: Information Security Magazine