Friday, November 3, 2023

Is Patch Tuesday Still Worth It???

 


As the months and years go by, all of the major Cyber vendors have chosen to pick a particular day of the month in order to formally release all of their software patches and upgrades to the public.  Although I don’t keep specific track of them, I know for a fact that Adobe, Oracle, and I think even VMware have a specific day and time of the month.  But the behemoth of them all, Microsoft, has been the leader in this realm.

On the second Tuesday of every month, Microsoft announces all of their upgrades for all of the software applications that need them.  So as you can imagine, this can be quite an exhaustive list to go through, and decide which ones you need to download and apply. 

Personally, I really don’t pay too much attention to it because I let my laptop do all of the updating as it needs to.

Once I hear the fan going off for a long period of time, that’s when I know for sure it is happening.  But here are some interesting tidbits about “Patch Tuesday”, as it has become known as:

*It first started in October of 2003, and has continued since then, for 20 years.

*Despite its prestige, Microsoft has been ranked as being amongst the worst technology vendors for having vulnerabilities in the software apps that it creates and deploys. Heck, it has even been known to have gaps even in the patches themselves.  For example, in this 20-year reign, there have been 10,900 flaws in Microsoft products.  Of these, 1,200 were ranked as “Critical” in terms of severity, and 5,300 were ranked as “Important”.

*There have been over 630 exploits for just one “Critical” or “Important” rated vulnerability. 

*Because of the sheer growth of Microsoft in the last 20 years, driven primarily by M365 and Azure, the company has been deemed also to have amongst the largest attack surfaces ever imaginable. 

But now, the critical question that is being asked is why should companies have to wait until Patch Tuesday to find out about vulnerabilities?  Shouldn’t they know about them sooner so they can fend off any potential threats?  Here are some thoughts on this of the story:

1)     The Zero Day Exploits:

This is a fancy techno jargon that simply means that a Cyberattacker has discovered a weakness or a gap before Microsoft is aware about it.  This means that they are ready to pounce, and will try to use just one entry point to cause as much destruction as possible.  Whether it is simply deploying a malicious payload, or heisting PII datasets to be sold onto the Dark Web, the damage has already been done.  In fact, it has been estimated that it only takes 79 minutes for a Cyberattacker to find any unknown vulnerabilities.  Really in the end, this is not too difficult to accomplish.  With all of the free tools for hacking that are available on the Dark Web, this comes of no surprise to me.  But even when this happens, there is a huge lag time that is involved.  Once the exploit has been discovered, Microsoft then needs to create the patch for it.  Then it has to be tested.  But not only that, then once businesses download them, they too need to further test it in a sandboxed environment to make sure that it will “play nice” with the other components of the IT and Network Infrastructure of a business.  The bottom line is that there still exists a huge time gap between when an exploit is first known, and the when the patch comes out to the public for downloading.

(SOURCE:  https://www.crowdstrike.com/resources/reports/threat-hunting-report/)

2)     Put security in the first place:

This now all comes down to a topic which I have belabored about before:  Address security as the source code for the application or project in the extremely early stages of development.  For example, compile the source code in modules or “chunks”, and after each iteration, thoroughly test it for any weaknesses or vulnerabilities.  If any are found, then remediate then and there so it does not have a cascading effect onto the subsequent modules.  In this respect, open-source APIs also needed to be vetted completely before they are put out into the production environment.  In the end there will always be some sort of vulnerabilities, but by taking a proactive approach early on in the game will greatly mitigate these risks.  This is technically known as “Secure By Design”, and it has been highly recommended by CISA.  More information about this can be seen at the link below:

https://www.darkreading.com/vulnerabilities-threats/5-steps-to-becoming-secure-by-design-in-the-face-of-evolving-cyber-threats

My Thoughts On This:

So now, the other big questions that remain, is Patch Tuesday still worth it?  People will have differing views about this, but IMHO, I think it is still worth it.  The primary advantage of it is that at least the IT Security team knows when new software patches and upgrades will be coming out, so they can plan accordingly. 

But again, this can also be stressful, because if Microsoft releases over 100+ patches, those will have to be reviewed in extensive detail to see what is needed.

But then of course, there is the school of thought of putting them out on an ad hoc basis.  Meaning, rather than waiting for the second Tuesday in the month to announce them, Microsoft should simply release them as they are rolled out.  But then of course, the complaints will be that there is not enough time to prepare, etc. 

In the end, it takes the best of both worlds, and truthfully speaking, it will be very hard to achieve.  Given just how gargantuan Microsoft is, it is quite conceivable that they could come out with new patches almost every other day.  So what is a business to do? 

The answer is simple:  Be proactive.  Keep testing your systems and digital assets on a regular basis, and remediate anything that is found.  That way, you will be one step ahead of Patch Tuesday.

Also, more information about Patch Tuesday can be found at the link below:

https://www.darkreading.com/edge-articles/how-patch-tuesday-keeps-the-beat-after-20-years

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...