2020 was a mess.
It was a big year for security breaches. Big players like Microsoft, GE, Facebook, Instagram, Staples, Spotify, FireEye, and Solarwinds (among many others) were compromised, exposing some 7.9 billion data records and putting close to 300 million people at risk of identity theft and fraud. These security breaches highlight a specific part of the security equation: keeping third-party applications fully up to date using a strong Patch Management policy.
With the push to work from home, due to COVID-19, attackers increasingly targeted conferencing, VPN and other third-party applications. After hitting 300,000 active daily users at the start of April 2020, nearly 500,000 Zoom passwords were breached and up for sale in the dark corners of the web. Researchers indicated the attackers were able to gather the information by collecting and using password dumps from other platforms – demonstrating just how important it is to use unique, strong passwords for all your logins. Even with the most secure password management strategy in the world, operating systems and applications will always require constant and timely updates to ensure the security of your business network.
There are great tools available for managing Windows Update across a wide organization and we’re proud to provide those services to our customers. However, Windows has begun representing a lower risk of vulnerability across the enterprise due to the rise in third-party application vulnerabilities, which is what we’re going to discuss today.
Patch Management: What is a Third-Party Application
Anything not built into the Windows Operating System is considered a third-party application. Unless Microsoft made it, they don’t support it and they don’t provide Patch Management through Windows Update. It’s up to each individual software developer to provide the updates through whatever update mechanism they have in place. Some use little system tray updaters and some require you to download a new version on your own. Worse yet, if it’s not an enterprise-grade application, there likely won’t be a way to centralize the update process for teams of computers, making it nearly impossible to ensure even a small number of computers are up to date. Finally, if your systems are configured with best-practices, individual users won’t have permissions to run the updates, meaning they often stay out of date for months or even years.
What Applications are Vulnerable
Truthfully? All of them. Security is a constant vigil. Mainly, though, we refer to the annoying ones that everyone has installed and everybody hates seeing the update prompts for. Just click “remind me later” and go on about your day, right? We’ve all done it. There’s a long list of applications that get ignored even in the most diligent organizations – even ones with Patch Management policies already in place.
Using Java as an example, during installation it touts being installed on over 3 billion devices. Java is a platform-independent application framework, which means it allows developers to write applications once and run it on any system with Java installed. It sounds great, but being so ubiquitous means it’s one of the biggest targets. Just a few year ago, Trusteer, a security division of IBM, released a report that half of all exploits it examined were targeted at Java. That’s a lot of exposure. The landscape has changed since then, but the problem remains.
What Patch Management Means
The point is that your network isn’t made safe by just protecting it with a firewall and running Windows Update. Security is not a silver bullet, it’s multi-pronged. Patch Management throughout the organization is one of the major functions. Modern attack vectors are becoming less about breaking in and more about tricking users to let them in. Once they are, the next step to full breach is taking advantage of unpatched software with security holes, then there you have it.
Through our experience providing vulnerability assessments for large organizations, we would rate third-party application patching as one of the most critical security concerns, as the largest number of security vulnerabilities are consistently related to outdated applications. We did a scan for a company with just over 1,000 systems and the top security risk was Java. Over 1,200 vulnerabilities throughout the organization that could all be remediated quickly and easily with a managed third-party patching procedure.
Luckily, fully automated third-party application patching is a service we build into all of our Managed Services offerings. Here is just a small list of the applications we automate updates for:
- Adobe Reader
- Adobe Creative Cloud
- Foxit Reader
- Google Chrome
We can also customize application lists and schedules based on our clients’ specific needs.
Why Hermetic Networks Patch Management?
All of these applications are easy enough to update on their own. Combined with OS patching, the security footprint of any organization can be drastically reduced. The major issues come at scale. Business owners and managers have far more important things to focus on than constantly updating computers. While Microsoft releases updates on a consistent, monthly schedule, other software developers don’t have release schedules or timelines. More often than not, updates are released whenever they’re done, making it impossible to keep everything current.
Each of our Managed Services offerings includes fully automated Windows and Third-Party Application Patch Management, meaning you’ll never have to worry if your systems are up to date. We stick to a strict schedule for Microsoft updates to ensure, to the best of our ability, that nothing goes wrong and push application patches out as soon as they’re available. Our customers can choose their own update schedule so that nothing interferes with their work and everything stays predictable. Best of all, it’s incredibly affordable.
Get in contact today to learn more about how we can help manage the patching and security for your organization.