Patch management is more important than ever! The lack of an effective patch management program has contributed significantly to the increase in the number of security incidents in financial institutions. Patches are software updates designed to fix known vulnerabilities or security weaknesses in applications and operating systems. All software applications require updates from vendors, not just operating systems. This includes software updates for third party software programs such as Microsoft, Adobe, Adobe Reader, Adobe Flash, Chrome, and QuickTime. The most popular software products are tested by hackers for weaknesses, and vendors have to constantly release security updates to keep these applications safe and secure.
When it comes to patch management, many financial institutions today fall into one of two categories:
- Those that don’t keep systems consistently up to date, and simply react when there is a problem or vulnerability.
- Those that keep systems up to date, but spend a lot of time managing the patching process.
Patch management’s importance was underscored with the recent release of the FFIEC’s Cybersecurity Assessment Tool. This assessment tool makes multiple references to patch management, and dedicates an entire contributing component category to statements covering patching practices. The tool defines clear expectations on what banks must do in order to remain in compliance, and lays out a path for improvement beyond the basics.
In addition, the most recent Supervisory Insights edition from the FDIC references the need for effective patch management as one of 4 key areas that institutions should manage to mitigate security threats. The FDIC also stressed effective patch management in a webinar last year, and stated that 99.9% of successful hacker and malware attacks that exploited a vulnerability did so more than a year after a patch was published to plug the security hole.
All of these sources point to some best practices regarding patch management:
- Updates should be rolled out to all devices
- Timeliness of patching is critical as the longer an unpatched system is in production, the larger the risk
- Devices with patching issues need to be addressed promptly to avoid a security issue
- Updates should be tested to ensure they don’t create an issue for the institution’s applications
- Patches that are not deployed because of bank applications must be documented
- Senior Management and Board of directors should be provided with reports on patch status
Components of an effective patch management system
An effective patch management program should include policies and procedures to identify, prioritize, test, and apply patches in a timely manner. The longer that a system remains unpatched the more vulnerable the intuition becomes. It is crucial that all systems are patched, if at all possible. To support a comprehensive patching program, the bank should create an asset inventory cataloging all systems that require patch management oversight. This asset inventory should list all software and firmware, including every server, switch, router, firewall, operating system, printer, laptop, desktop and ATM in the bank that are subject to periodic patches from vendors. Effective patch management is much broader than just making sure that Microsoft patches are flowing.
Bank executives should also stay abreast of possible threats by monitoring reports on identified vulnerabilities, and should ask if such vulnerabilities can be patched. Once a vendor stops supporting a software application they typically also stop releasing patches to plug newly discovered vulnerabilities, so executives should stay informed about assets nearing end-of-life. Management should also establish strategies to migrate from unsupported or obsolete systems and applications, and implement strategies to mitigate any risk associated with these products.
To comply with the FFIEC guidance, the board and senior management at the bank should require regular, standard reporting on the status of the patch-management program, including reports monitoring the identification and installation of available patches. Independent audits and internal reviews should validate the effectiveness of the bank’s patch management programs.
Automated Patch Management
Many financial institutions find managing the patch management process and maintaining patching solutions both challenging and time-consuming. Working with an outsourced service provider such as Safe Systems can provide your institution with a comprehensive patching program that delivers quick, accurate, and secure patch updates to all workstations and servers. This process will help mitigate the multiple risks associated with running unpatched programs and automate the time-consuming process of testing and deploying new patches.