Cyber Essentials Scheme – Patch Management

In August this year we published a post that discussed the need for adherence with the new UK Government Cyber Essentials Scheme for the many suppliers and service providers to Government departments and agencies. In this blog I’d like to expand on the subject of Patch Management which was one of the five control areas that make up the scheme.

Extract from the UK Government Cyber Essentials Scheme:

“Patch management. Organisations should keep operating system and application software sufficiently up-to-date in order to avoid the exploitation of emerging vulnerabilities.”

So what is patching?

Patching is the process whereby software is updated in order to correct any defects, improve performance or remove known vulnerabilities which have recently been discovered. Additionally patching can also be used to add new functionality to an operating system or application.

What happens if my organisation doesn’t patch?

As vulnerabilities in software become public knowledge there is an increased chance of hackers targeting your organisation through that vulnerable software. The end result can be theft of your intellectual property, denial of service or physical damage (or potentially worse) in the case of equipment controlled by software. Potentially the greatest risk from the failure to effectively patch is the risk of malware infection which may result in your equipment becoming part of a botnet – imagine the damage to your business reputation if you were to become the source of “spam”.

For example, only last month, Heartbleed, one of the most harmful cyber threats to date, made the news headlines as it emerged that over the course of two years hackers had been utilising it as a means to access personal information and passwords. As cyber security breaches of large companies capture the news headlines there remains a worrying degree of complacency amongst small business owners (1).

Furthermore, we now know that “Shellshock” which is a vulnerability in the UNIX Bash shell has existed virtually undetected since the early 1990s. The UNIX Bash shell can be found in any device that is running the UNIX and Linux operating system including many Apple devices, all of which are almost guaranteed to be connected to the internet (2).

Additionally business online banking details can also be stolen, it is not widely known that the safeguards provided to individual banking consumers are non-existent for businesses meaning that it is vital you take steps to protect your financial interests.

Patching costs lots of money, right?

The majority of patches are free if you own the software license, some are even open source, in most cases it only costs you time and staff effort to obtain and implement the available patches. Some patches are provided to you as part of the support agreement you purchased with your network equipment – when was the last time you checked to see if they’d been implemented by your IT supplier?

What else can I do to enhance my patching?

For starters why not adopt a patching policy? Regency have experience in writing or enhancing business patching policies by ensuring that they contain a viable strategy for your ICT staff to follow, we can also ensure that software vulnerabilities are considered and managed on a regular basis as part of your patching policy.

To ensure that your ICT system has “defence in depth” you can reinforce your patching policy with the use of firewalls, anti-virus protection, or more robust identification and authentication techniques that we and our partners at Intercede specialise in.

There are a number of patching tools available and we at Regency have a depth of experience in this area. Some patching tools are free which means the cost of implementation just got cheaper. Ultimately and most important of all you need management “buy in” to ensure the success of any patching policy.

Need more information?

At Regency we are passionate about patching! Why not contact us for more information and perhaps have a chat with one of our experienced security consultants on how you can implant a patching plan or make your patching more effective.

William Wardrope

Security Consultant