The second Tuesday of every month Microsoft issues a series of patches for its software. Organizations pay particular attention to fixes for WinServer, Internet Explorer and Office, for many the three most common applications in their architectures — and therefore among the most common targets for hackers.
But an expert says IT security professionals spend too much time worrying about patching and not enough about prioritizing on the real threats to their organizations.
Studies such as Verizon’s data breach investigations report, show most breaches are caused by users not changing default passwords, cleartext authentication and misconfiguration of systems, says Adam Brand, associate director of IT security and compliance for Protiviti Inc.’s IT consulting division. Protiviti is a U.S.-based international IT risk consulting firm.
“That’s especially relevant today when you think about [the fact that] there’s all these breaches happening and information security teams are hearing from their boards and everybody’s worried,” he said in an interview. ”
Management may hire a third party to do an assessment, which usually discovers a number of systems are missing patches. So IT focuses on testing patches and implementing them.
If the organization’s goal is to mitigate the risk of a breach, they have to prioritize their time, Brand says. “Prioritizing patches without looking at them (will) come at the expense of doing things that actually stops breaches.”
There are three myths about patching, he says:
–1: Install all patches within 30 days.
That comes in part from a recommendation from the Payment Card Industry to meet a PCI audit. But even companies who aren’t covered by PCI believe it. In addition IT leaders feel obligation to patch Microsoft software before the next Patch Tuesday.
But PCI itself says there should be a risk-based approach, Brand points out. “Just because Microsoft releases a patch doesn’t mean that its applicable everywhere in your environment and at the same priority,” he said.
For example, he said, Microsoft may identify a patch as serious, but an examination of the details may show the greatest risk is for servers on publicly-facing Web sites.
–2: Vendors know what’s critical.
“You must decide what’s critical,” Brand said. There’s not a lot of agreement among even experts on what is a critical patch, he points out.
“You need to understand your own rating system — what does critical mean to you.”
–3: Scan your environment until a patch passes.
Too many organizations worship their vulnerability scanners, says Brand, instead of prioritizing their work. There may be a bug in a Web browser, for example, that allows a system to be compromised if a user clicks on a certain link. However, it may not apply to a database server that runs a financial system with high uptime requirements.
Brand recommends IT security pros pay attention to the most recent version of the  U.S. National Institute of Standards and Technology (NIST) 800-40 guide to enterprise patch management, which gives more detail on what to do.
Among its recommendations:
–Organizations should deploy enterprise patch management tools using a phased approach.;
–Organizations should reduce the risks associated with enterprise patch management tools through
the application of standard security techniques that should be used when deploying any enterprise-wide
application;
–Organizations should balance their security needs with their needs for usability and availability.
“The vast majority of companies are approaching patching in the wrong way,” says Brand. “It’s few and far between where corporations are thinking about patching from a risk and prioritization basis, as opposed to ‘we just need to patch everything within 30 days’ and they waste all these cycles (of time) patching and testing. It’s the exception and not the norm.”
He admits that some IT managers he advises don’t immediately see the light, believing it will take too much time to sort and prioritize patches. But, Brand says, there are perhaps 10 critical patches issued a month. There’s also a fear that an auditor may scan an environment, find unpatched systems and report that to the C-suite. But as a PCI auditor himself, Brand says if patches are seen to be prioritized through documentation and auditor will be impressed.
Other, probably smaller, organizations worry no one on staff is skilled enough to judge which patches are really important. That, Brand adds, is a different problem.