We all know how important it is to keep current with security updates, a.k.a. patches – but how many organizations are really following best practices? As attackers get more sophisticated and researchers become more diligent, vulnerabilities in popular software – from operating system to end-user applications and even including security software – are discovered every day. To their credit, software vendors are working overtime to stay on top of the problem and issue patches to fix these flaws as quickly as possible.
This never-ending flow of updates from multiple vendors, though, can make it difficult for IT to keep up. While Microsoft and other major software makers try to simplify the patching process through automation and distribution tools, we all know that in the corporate environment, it’s often prudent to test patches in a lab environment before rolling them out to your production network.
Failure to do so can result in a nightmare of system problems and even computers that become unbootable. Who can forget McAfee’s patch fiasco in 2010, when an update rendered Windows XP computers unusable and the company ended up having to reimburse many customers for the repairs required to restore functionality?
However, failure to patch can have even more serious ramifications – including the exposure of confidential company or personal information and consequent civil liability and/or penalties for violation of regulatory compliance requirements – since the majority of patches issued are security-related. Taking a look at year of statistics collected from GFI Cloud’s database, I noted that out of the 27,087 patches, more than 16,000 are security patches, and almost 2000 more are service packs, which typically contain many security updates.
In today’s uncertain economic climate, many IT departments are understaffed and admins’ workloads are already heavy. Patching can become a “when I get around to it” thing – and that can be a recipe for disaster. Some patches may slip through the cracks completely, and trying to keep track manually of which systems are patched and which aren’t is, at best, an administrative headache.
A good patch management system goes a long way to address these problems. Such a system can monitor for missing patches and notify admins. Recent statistics collected regarding organizations using GFI Cloud shows that notification is a powerful motivator, with over 30 percent of missing patches applied within 1 day after notification, and almost 90 percent fixed within two weeks.
These statistics span the period of one year, from April 2013 to April of this year, and are based on 864,106 device patches applied by customers over that time frame. Keep in mind that these numbers and patterns apply specifically to GFI Cloud users, who may differ from the average small business users. In fact, a study last year from the Federation of Small Businesses in the U.K. indicated that only 36% regularly installed security patches on their computers. Meanwhile, vulnerable systems are putting many organizations at serious risk.
Part of the problem is that there are so many patches for so many different software products. Our data showed that those with the greatest number of patches over the year included Windows, Microsoft Office, Adobe Flash, Firefox, Java, Adobe Reader, Microsoft’s Lync Communications software, Wireshark, Exchange, and various developer tools. There were also more than 4000 patches associated with “other” products (i.e., everything else).
Keep in mind that pure numbers don’t always tell the full story, though. At first glance, one might assume that the “patchiest” products shown above have the most vulnerabilities. That might or might not be the case. For example, in a recent month Microsoft issued five patches addressing seven vulnerabilities. That same month, Apple released only two patches, but they addressed twenty-something vulnerabilities. In other words, most patches doesn’t necessarily mean most vulnerabilities.
It’s also difficult sometimes to compare products across vendors because of different means of releasing patches. For instance, some vendors always issue a new version of the software (for example, Google Chrome) to patch security issues rather than releasing standalone individual patches.
In any event, it’s interesting to look at a breakdown of the so-called “patchiest” products in terms of the percentage of patches that are applied within a given number of days following the missing patch notification. The percentage peaks earlier for some, such as Firefox and Adobe, than for others, but for all products the patching percentage seems to follow a similar curve, a sharper increase up to about the seventh day and then a leveling off.
Just what that percentage is at the one-week mark, though, depends on the product. For Firefox it’s over 90 percent while slightly under 70 percent for Java.
Another pattern that remains fairly consistent over the course of the first week is that companies with more than 100 devices tend to have patched a smaller percentage of those devices on any given day. This isn’t surprising, since larger companies are more likely to proceed with caution, testing patches before applying, and of course it also just takes longer to get a larger number of devices patched. Up until around the fourth day following notification, the smallest companies (1-5 devices) lag slightly behind in patching, as well – but after the fourth day, they consistently have the largest percentage of devices patched.
The good news is that regardless of company size, the largest percentage of GFI Cloud customers are applying patches within one day after receiving notification that they’re missing.
This reinforces the hypothesis that notification is a strong motivating factor.
As might be expected, the numbers indicate that companies are applying security patches a bit more quickly and diligently than non-security patches – but the difference isn’t great. On the other hand, there is a bigger gap between the application of regular patches and full-fledged service packs. This isn’t surprising, either, since it generally takes more time to roll out service packs (and more time to test them beforehand, due to the complexity and increased risk of “unintended consequences”).
All in all, these statistics tell an encouraging story: whereas some industry-wide surveys show much lower percentages of devices patched, particularly in certain segments such as small business, users of automated hosted management platforms such as GFI Cloud are “getting it done” – responding quickly to notification of missing patches and remedying the problem within days. It makes sense that over-burdened IT personnel can use a helping hand, and given the dire consequences that can follow when systems go unpatched, putting a high priority on patch management is a smart business decision.