Right now, it’s easy to second-guess choices. We’ve never been in this situation before—sending employees home to work remotely isn’t business as usual. Companies have had to act fast, and some things are inevitably getting lost in the shuffle. It’s not just you—everyone is struggling right now. No one company is doing it right or wrong.
We’re watching our new normal unfold. We see what’s happening, so there’s no reason to hold back on planning for recuperating, especially when it comes to patching. If you wait, you won’t know the cost of clean-up. We’re not quite there yet (we have several weeks ahead of us still), but it’s coming: risk management is the new normal.
Pre-pandemic, changes to infrastructure, security, and operational processes were controlled rigorously to prevent the introduction of additional risk. Companies had systems in place for common scenarios—like testing patches before they were released. Or how to fix patches that may have broken something.
As we sit in the middle of this global pandemic, those systems are out the window. Companies are doing the best they can with what they have. IT may let patches slide as they scramble to get employees up and running at home.
Patches on Hold
While patches used to be a routine part of your week, they’ve all but stopped. With employees using a range of devices (some are using their personal devices, some companies have resorted to buying and passing out Chromebooks, etc.), there’s a freeze on patches.
When you freeze patching, it’s just what you think: the vulnerabilities that are typically found by the research community and the vendors don’t get fixed. Right now, though, that’s the lesser evil. Let’s talk this through.
Patching takes time, and frankly, few companies have the resources to spare on creating, testing, and implementing patches for an array of devices that may be short-term solutions—and may break with the wrong patch.
Before COVID-19, aggressive companies were willing to test quickly, issue a patch, and move on. The community at large trusted that those forward-leaning companies would do that work and inform the vendors if there were problems or not. That testing isn’t happening right now because no one is being that aggressive (with good reason).
It’s a herd immunity thing: because patches aren’t rolling out, there’s no natural beta testing going on in the user community, so you don’t have the benefit of risk production management. Without that testing and risk management, it makes sense to defer patching.
Knowing that, you can make a plan now about how to reimplement regular patching when we’re through the worst of this pandemic.
OK, let’s say a patch is produced and distributed. It’s a real possibility that the bad guys will take the patch and compare it to the original code, then find the differences between the two and use what they learn to develop exploits. Once exploits are available, it’s only a matter of time before bad actors start weaponizing them.
You can avoid this by implementing sound, solid practices whenever possible (even now). Find workarounds and share those throughout the company. Work on mitigation now instead of waiting weeks for COVID-19 to subside.
Pre-pandemic, if a patch broke a system, it was bad, but not terrible because you could easily get to the user’s system and fix it. You could recover. But with so many people working remotely, it’s not feasible for IT to drive to someone’s home for a fix.
You’re in a pinch, and it makes sense to hold off on sending out patches when you don’t know how they’ll interact with every system (remember employees are working on everything from their personal devices to company-issued devices to Chromebooks companies issued as a last resort). The risk of vulnerability is suddenly more serious.
One way to mitigate this vulnerability is to stream out patches slowly to see if there are any problems—but that extends the time it takes to get the patch out to your employees. However, as you roll out the patches and they work, word spreads that the patches are stable, and it becomes less risky to deploy them.
We’re all in the same boat, but that doesn’t mean we can’t start looking ahead. If you’re concerned about how you’re going to handle patch management in the future, contact us. We can certainly help.