A Patch a Day Keeps the Vulnerabilities Away

The old adage “an apple a day keeps the doctor away” speaks volumes about the importance of preventative measures that protect your health. In the risk world, apples won’t do much, but there is something that will…patch management. Patches are essentially playing the same role as an apple would, as they work very much in the same way, but, rather, they protect your credit union’s software and networks from vulnerabilities.

We’ve seen time and again, especially over the past few years, that cybercriminals and hackers are always looking for vulnerabilities within applications – do the terms Wannacry, ZeroLogon and Log4j ring a bell? In order to combat security threats, software companies release patches to fix the vulnerabilities. So, what’s a patch? Simply put, a patch is a code change that can be applied to create a consistent, secure environment by fixing bugs, and implementing new software features and safety measures.

The Importance of Patches

If you’re wondering why patches are so important, you may want to digest this bit of information. No software is immune to vulnerabilities, regardless of their size, popularity or notoriety. Even the biggest and most reliable software companies offer patches for their products. In fact, Microsoft releases new patches on the second Tuesday of every month, so aptly called “Patch Tuesdays.”

Here are some other reasons that make patch management not just important, but beneficial to your credit union:

• It ensures a better protection and overall security for your systems. If your credit union doesn’t apply patches, you might be setting the organization up for exploitation in the form of malware, ransomware and more. These threats can take advantage of flaws in your software and applications in order to infect your computer systems, or even go so far as to hold all of your data hostage until you pay a fee.
• It keeps you in compliance. We all know that financial industry regulations are many and ever-changing, but one thing that is consistent among compliance efforts is security. If you consistently perform patch updates, you’re more likely to remain in compliance with standard regulations – current and new – which means avoiding consequences such as fines, stripping of privileges and more.
• It also helps you to implement new features and functionality. Patch management isn’t just about fixing problems and layering on the security. It’s also a means to provide your members with additional capabilities within your technology, which is often recognized as progressive and innovative. How’s that for a reputational boost?
• It keeps your systems up and running. Speaking of reputation, your members don’t want to see that your technology is constantly down or having problems. With a proper patch management system, you’re introducing resolutions to any existing problems so you can remain operational.

The Anatomy of a Patch Management Process

The best way to prevent malicious threats from entering your systems, and to reap all the benefits shown above, is to develop a patch management process. The patch management process will guide you and your staff through patching your computers and systems. The process should include:

1. Asset inventory. Know what devices you have and what software and applications are installed so you can properly patch your network. Take inventory of product owners, IP addresses, versions and other detailed information about your systems and do it on a consistent basis. Patch management is a place where the phrase “the more you know” really pays off.
2. Patch management officer or team. A person or group of people should be designated to prioritize and stay up to date on the latest patches, as well as coordinate and implement patches.
3. Timetables. Patches should be assigned specific timeframes and schedules based on their priority. Also, be aware of software companies’ schedules so you can plan for regular patches – ex: Microsoft’s “Patch Tuesdays.”
4. Deployment of patches. This could be an automatic or manual process. Automation will help to minimize the time and resources spent performing patches, so keep that in mind as you are structuring your patch management process.
5. Testing and assessment. Testing should be performed to confirm the patches are working properly to protect your systems. You don’t want to assume the patch was successful only to learn later that it ultimately wasn’t. Assess your systems after all patches and testing are applied.
6. Compliance verification. Obtain proof that patches are being applied and that all computers are receiving those patches.

A patch management process is a necessary component of any security and risk management program. It’s meant to protect your organization from a myriad of potential issues – security, compliance, reputational and so on. For all these reasons, my sincere recommendation to any credit union that doesn’t currently have a patch management process is to establish one as soon as possible. After all, an apple a day keeps the doctor away, but a solid patch management process will keep the bugs, viruses, malware, regulators and all those other pesky risk factors away!

Mike Bechtel is an information security analyst for Vizo Financial. As such, he provides incident response planning services, information security risk assessments, security awareness training and information security-related consulting services to credit unions.