As the months and years go by, all of the major Cyber
vendors have chosen to pick a particular day of the month in order to formally
release all of their software patches and upgrades to the public. Although I don’t keep specific track of them,
I know for a fact that Adobe, Oracle, and I think even VMware have a specific
day and time of the month. But the behemoth
of them all, Microsoft, has been the leader in this realm.
On the second Tuesday of every month, Microsoft announces
all of their upgrades for all of the software applications that need them. So as you can imagine, this can be quite an
exhaustive list to go through, and decide which ones you need to download and
apply.
Personally, I really don’t pay too much attention to it
because I let my laptop do all of the updating as it needs to.
Once I hear the fan going off for a long period of time,
that’s when I know for sure it is happening.
But here are some interesting tidbits about “Patch Tuesday”, as it has
become known as:
*It first started in October of 2003, and has continued
since then, for 20 years.
*Despite its prestige, Microsoft has been ranked as being
amongst the worst technology vendors for having vulnerabilities in the software
apps that it creates and deploys. Heck, it has even been known to have gaps
even in the patches themselves. For example,
in this 20-year reign, there have been 10,900 flaws in Microsoft products. Of these, 1,200 were ranked as “Critical” in
terms of severity, and 5,300 were ranked as “Important”.
*There have been over 630 exploits for just one “Critical”
or “Important” rated vulnerability.
*Because of the sheer growth of Microsoft in the last 20
years, driven primarily by M365 and Azure, the company has been deemed also to have
amongst the largest attack surfaces ever imaginable.
But now, the critical question that is being asked is why
should companies have to wait until Patch Tuesday to find out about vulnerabilities? Shouldn’t they know about them sooner so they
can fend off any potential threats? Here
are some thoughts on this of the story:
1)
The Zero Day Exploits:
This is a fancy techno jargon that
simply means that a Cyberattacker has discovered a weakness or a gap before
Microsoft is aware about it. This means
that they are ready to pounce, and will try to use just one entry point to
cause as much destruction as possible. Whether
it is simply deploying a malicious payload, or heisting PII datasets to be sold
onto the Dark Web, the damage has already been done. In fact, it has been estimated that it only
takes 79 minutes for a Cyberattacker to find any unknown vulnerabilities. Really in the end, this is not too difficult to
accomplish. With all of the free tools
for hacking that are available on the Dark Web, this comes of no surprise to
me. But even when this happens, there is
a huge lag time that is involved. Once the
exploit has been discovered, Microsoft then needs to create the patch for
it. Then it has to be tested. But not only that, then once businesses
download them, they too need to further test it in a sandboxed environment to
make sure that it will “play nice” with the other components of the IT and
Network Infrastructure of a business.
The bottom line is that there still exists a huge time gap between when
an exploit is first known, and the when the patch comes out to the public for
downloading.
(SOURCE: https://www.crowdstrike.com/resources/reports/threat-hunting-report/)
2)
Put security in the first place:
This now all comes down to a topic which
I have belabored about before: Address
security as the source code for the application or project in the extremely
early stages of development. For
example, compile the source code in modules or “chunks”, and after each
iteration, thoroughly test it for any weaknesses or vulnerabilities. If any are found, then remediate then and
there so it does not have a cascading effect onto the subsequent modules. In this respect, open-source APIs also needed
to be vetted completely before they are put out into the production environment. In the end there will always be some sort of
vulnerabilities, but by taking a proactive approach early on in the game will
greatly mitigate these risks. This is technically
known as “Secure By Design”, and it has been highly recommended by CISA. More information about this can be seen at
the link below:
My Thoughts On This:
So now, the other big questions that remain, is Patch
Tuesday still worth it? People will have
differing views about this, but IMHO, I think it is still worth it. The primary advantage of it is that at least
the IT Security team knows when new software patches and upgrades will be
coming out, so they can plan accordingly.
But again, this can also be stressful, because if Microsoft
releases over 100+ patches, those will have to be reviewed in extensive detail
to see what is needed.
But then of course, there is the school of thought of
putting them out on an ad hoc basis.
Meaning, rather than waiting for the second Tuesday in the month to announce
them, Microsoft should simply release them as they are rolled out. But then of course, the complaints will be
that there is not enough time to prepare, etc.
In the end, it takes the best of both worlds, and truthfully
speaking, it will be very hard to achieve.
Given just how gargantuan Microsoft is, it is quite conceivable that
they could come out with new patches almost every other day. So what is a business to do?
The answer is simple:
Be proactive. Keep testing your
systems and digital assets on a regular basis, and remediate anything that is
found. That way, you will be one step
ahead of Patch Tuesday.
Also, more information about Patch Tuesday can be found at
the link below:
https://www.darkreading.com/edge-articles/how-patch-tuesday-keeps-the-beat-after-20-years
No comments:
Post a Comment