Why is patching so important for preventing cyber disasters?

Patching is essential because many major cyberattacks could have been prevented by applying available updates. Vulnerabilities are a common attack vector, yet some organizations still operate under the mindset of avoiding updates if systems appear to be functioning normally. In reality, if a patch exists, the system is already flawed. Patches are released to correct weaknesses that could allow attackers to bypass built-in security. Cybercriminals read patch releases too and can very quickly develop exploits for unpatched systems. One of the most prominent examples is the 2017 WannaCry ransomware attack, which exploited the EternalBlue vulnerability. The flaw had been publicly known for six weeks prior to the attack. It targeted Microsoft RPC and SMB protocols. WannaCry showed how a virus could enter through a laptop.

What needs patching beyond your operating system?

Patching should extend beyond the operating system to include applications and hardware. For example, in 2022, a vulnerability allowed a non-macro-enabled Word document to crash the application and call the Microsoft diagnostics tool, which then triggered PowerShell. This was a zero-day exploit that took Microsoft several days to address.

It's equally important to patch network equipment such as firewalls and routers. The Log4j vulnerability remains active on many outdated firewalls. Unpatched VPNs on firewalls can allow attackers full access to a network.

How can you effectively manage your patching process?

Windows updates simplify OS patching, but third-party application patching is often more complex. Many patch management tools only check registry version numbers, which can give a false sense of security. In one internal case, a scan revealed 417 machines running outdated software across 20 different applications, even though the patch management system had reported everything as up to date. This underscores the difference between doing security for compliance and doing security for actual protection.

Key considerations for effective patching include:

• Spot checks: Regularly compare patch management reports with actual software versions.

• Beyond registry checks: Account for software that lacks registry version data, apps installed under user profiles (such as multiple Chrome instances), and portable tools like Putty, which are often used in ransomware attacks.

• Prioritize visibility: Use tools that detect outdated software based on file hashes of known vulnerable versions, including portable apps.

• Layered security: Patching alone is not enough. It must be part of a multi-layered security approach. Assume both software and hardware contain vulnerabilities and act accordingly.

• Strategic patching: Test patches on a small group of systems before wider deployment. This allows time to detect issues and halt the rollout if needed.

• Environmental hardening: Block untrusted software and restrict Office applications from calling PowerShell. These strategies can neutralize vulnerabilities, making some patches less urgent.

• Consistent OS patching: Microsoft releases most security updates on Patch Tuesday. Staying current with monthly patches is a key best practice.

• Firewall patching: As a rule, if it’s a firewall, it needs patching.

Key takeaway

The belief that systems should not be updated unless broken is a dangerous misconception. While patching is not a complete solution, it is a foundational defense against many of the vulnerabilities attackers exploit in high-profile cyber incidents.

Like what you see?

Dive into 100 days to secure your environment, a ThreatLocker webinar series. This tactical series will walk you through fully securing your environment, step by step.

‍