Best practice has been to patch systems–both operating systems and applications–every 28-30 days (a month). Some don’t even do it this often (as shown by the recent Microsoft Exchange hack). This cycle is based on the practice that Microsoft and other vendors release critical patches monthly.
But with the growing threat from hacking groups operating on a Nation-state basis with almost unlimited resources, is this enough? A “Zero-day attack” is when an attacker discovers a previously unpublished weakness and then sits on that vulnerability until a time of their own choosing. By waiting until after the monthly patches are applied, a hacker can have almost a fully month to worm their way into systems before the next patches–assuming the vendor can respond in this amount of time.
In the past 3 months, zero day exploits targeted SolarWinds, Accellion, Exchange, Chrome, iOS, Android, and BIG-IP software. During 1 week in March, 11 zero-day exploits were unleashed.
Running Unpatched Software
The cost of running unpatched software can include: ransomware, higher insurance premiums, public relations nightmares, lost revenue, fines from regulatory agencies, audits, and reputational loss.
Some experts are arguing for allowing businesses to take an outage rather than run on software that isn’t patched. Granted, this is an extreme option that each business will have to assess for itself.
Here are some other options that small and medium businesses can do to reduce their risk:
- Patch as frequently as possible. If you’re not patching at least monthly, you may have ‘splaining to do.
- Make sure that firewalls including Intrusion Detection Systems/Intrusion Prevention Systems are maintained and any anomalies are correctly reported and actioned. These should be tested regularly. You need to know who’s lurking in your systems and what they’re up to.
- It’s not always a good idea to buy the “industry leading” software. This is what happened with SolarWinds. As one of the industry leaders, many companies and smaller enterprises bought into it as well. People thought, “If it’s good enough for the US Government, then I want it too.” As a result, many minnows got caught up in Russia’s attempt to extract state secrets from US clients. It’s good to have biodiversity in the technology world as well. Sometimes the 2nd to 5th place players in a software sector can provide you with everything you want in a software package while allowing the vendor to fly under radar (and often costing less than the sector leader). For example, Google Meet is cheaper than Zoom and has a fraction of the cybersecurity bad press.
Finally, have a trusted Managed Service Provider company that looks after your systems and data and works to protect you from these risks. If you don’t have a trusted IT company, then we would love to talk to you. Please contact us for a no obligation, no pressure first conversation.