Maybe you have a mature patch management policy, and maybe you don’t. Regardless, when everyone moved out of the office, the question of whether to patch or not to patch got a little hairy.
You have devices your organization owns and devices the organization doesn’t own that are allowed access to the environment. So the question is, should you maintain your patch policy, suspend it, or make case-by-case decisions based on how critical the patch is?
The first month, most people were choosing not to take a chance, but as the months go on, the risk of not patching goes up. Skipping one month is different than skipping three.
Running Through Your If-Then Scenarios
Let’s start with company-owned devices. The more technically mature organizations are using enterprise remote access platforms (i.e. Citrix, Horizon, RDS etc.), so they don’t have to worry about the patch level of home machines or what’s on them. Company-owned machines can deploy patches as usual.
Mid-sized funds may have a different set of problems. If employees are using VPN, there’s little control over home machines. Not having a mature process for remote access at scale is a risk some firms are being forced to deal with right now.
If that’s you, then you have to consider whether to turn on auto-updates. At a bare minimum, it’s advisable to address critical security updates in a timely manner for company-owned devices that don’t have a way to be maintained remotely.
For personally-owned devices—the ones you’re allowing to access your resources—the reality is you don’t have much control over those. However, consider whether those machines are accessing actual resources and not just web interfaces. If they’re accessing resources, Agio suggests you encourage users to apply security updates for operating systems and commonly used applications like Microsoft’s suite of products.
Employing Posture Checks
Understand what patch level you’re at on all endpoints. Home machines are a higher risk, and there’s no way to manage those. The only real way to patch if you’re using VPN is to have a firewall that can do an advanced posture check to confirm their baseline is set. Make sure the machines are patched before they come on the network (e.g., patched anti-virus, etc.).
Making Deliberate Decisions
Review critical security updates and make a deliberate choice to apply or not apply. If there’s an event, know what system gets the forensics review if it comes to that. You should be able to say, “We chose not to do this because it would create an operational risk” or “We updated it, and we still had trouble.”
Patching Remote Machines
Most firms are trying to patch desktops as best they can, but the big challenge is the inability to get to those desktops if they don’t come back online. Business continuity is interrupted, so what’s the solution?
First, designate personnel who will go into the office and get things up and running, ensuring they possess proper building credentials so there are no access issues.
For the COOs and CFOs of the world, keep in mind if you have a third-party managing your systems, they won’t be able to get into your office to fix the problem; you need to have your personnel ready to go. If you don’t have a designated employee, then you must heavily weigh the risk/reward of patching.
Second, let’s say you’re a CTO with a thousand desktops; you deploy a patch, and you may lose 2-5% of your machines because the update fails and leaves you with a “bricked” system. Do you take that risk? Our advice – review the nature of the vulnerability the patch is addressing and determine if your compensating controls are adequate to reduce your exposure.
Secure Backup Machines for Critical Personnel
Designate any spare machines for executives and the people who need to be functioning 100% of the time. This is a preventative measure that if actually needed, will make you look good for planning ahead.
If you don’t have a technically mature system in place, and can’t control company machines remotely, apply critical security updates to company-owned devices in a timely manner. Personal devices are less of a risk if they’re only accessing web portals, but we encourage you to apply critical security updates for the OS and the Microsoft suite of apps.