5 Lessons Learned From Patching During a Pandemic

It’s unlikely that any security manager would consider the process of administering security patches as “fun,” but in the age of COVID-19, with continued widespread remote work arrangements turning just about everything on its ear, patching is now an overwhelming challenge, to say the least.

But it couldn’t be more crucial than it is now, because home networks are vulnerable. Research from BitSight reveals 45% of remote office networks have observed malware, compared with 13% of corporate networks. That means corporate-associated home office networks are more than three times as likely to have at least one malware infection.

“The pandemic has had a seismic shift on security teams, especially when it comes to patching,” said Chris Hallenbeck, Tanium’s CISO of the Americas. “Almost overnight, organizations decentralized patch management and let machines auto-update and auto-patch. This was a huge change for enterprise IT, which has long managed its endpoints manually in order to ensure visibility and quality control of the entire environment.”

Where do we go from here? Many analysts predict that current work-from-home configurations are far from over at many organizations. So, as the situation continues to unfold and admins are forced to manage security largely from afar, these are some of the lessons learned along the way that can lead to improvement when it comes to patching in a pandemic.

 Many Security Teams Have Had To Loosen the Reins

“With end user devices exposed at home and limited VPN bandwidth, teams didn’t have the capacity to choose what to patch or when,” said Hallenbeck. “For organizations with tens of thousands of endpoints, this was a tremendous effort on a massive scale.”

Without any real choice on how to administer patches, yet a dire need to patch, most security teams have simply had to make the best of it, said Tom DeSot, EVP and chief information officer at Digital Defense.

“Systems administrators have become essential personnel to ‘keeping the lights on’ for every company.  Now instead of having local access to systems or virtual machines, systems administrators now have to do their patching over the corporate VPN(s) to ensure that everything is kept up to date. This isn’t ideal, as in some ways it’s always better to have local access to the machine, but it’s really the only choice that the administrators have presently.”

Administrators Are Forced To Get Creative

But making the best of it isn’t without disruption, noted DeSot.

“Some updates are a gigabyte in size or larger and that can bog down a VPN for other users or make the VPN almost unusable altogether, leaving other users in a lurch so that one or a few users can be updated,” he said. “To compound the matter, some users may not have the same bandwidth at home as they are used to at work. Updates may take hours or even days to download. As a result, administrators have had to get creative with how they update their users, such as doing the updates late at night or even having the user meet them at the office (last choice) so that their systems can be updated properly.”

Remote Desktop Protocol Is Essential—and a Massive Vulnerability

Remote Desktop Protocol, which is used by network administrations to remotely manage—and patch—Windows systems, has become an increasingly larger target for ransomware in recent years. One recent presentation at RSA revealed that RDP accounts for 70% to 80% of network breaches.

RDP’s attractiveness to hackers is a particularly big problem during the pandemic in OT environments, where it is often essential for remote management, said Phil Neray, vice president of IoT & Industrial Cybersecurity at CyberX.

“IT and OT administrators are no longer onsite in plants, so now they need to remotely access systems in order to patch them,” he said. “For Windows-based OT systems like HMIs, engineering workstations, and historians, they typically use RDP for this.

“With much more traffic now coming into OT networks over RDP, adversaries are hoping their malicious RDP access will go unnoticed in the sea of legitimate RDP traffic,” he added.

Prioritize Essentials and Zero-Day Vulnerabilities for Patching

Since some teams can’t get to everything in today’s environment, zero-day vulnerabilities should naturally be given priority, as it only takes a few days for criminals to take advantage once a security hole is disclosed. Focus on systems that are essential to helping remote employees stay productive as well as critical systems to business, said Neray.

“A risk-based mitigation approach is the right way to go,” he said. “Start with your ‘crown jewel’ assets and processes—those whose compromise would have a major impact on your revenue or cause a major safety or environmental incident and patch all the systems in the path an attacker would take to reach those critical assets.”

There Are Still Many Gaps

People have already grown weary of the term “new normal,” but that is exactly what security managers and teams will need to consider in devising patching plans going forward. Even with lessons learned in recent months, there is still a lot of work to be done to further mature the process at most organizations.

“The missing link is personal devices, which still need to be brought under control. The use of personal laptops, smartphones and tablets has shot up, and many aren’t looped into corporate vulnerability management,” said Hallenbeck. “This is a huge blind spot that continues to leave businesses more exposed to cyberattacks as well as data leakage incidents. Even before the pandemic, 94% of organizations told us that they were discovering new endpoints on a regular basis. That’s only worsened under the largest remote working experiment in history.”

“We’re learning that patching needs to be considered in pandemic response or disaster recovery plans,” added DeSot. “We’re also learning that there are some times that risk must be mitigated in ways that we hadn’t thought of so that the users can still work, but the systems administrators use a non-traditional route to get them patched.​”

Avatar photo

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild