Ever hear of “Patch Tuesday”?
That’s the unofficial name that IT professionals have given the second Tuesday of every month. It’s the time that Microsoft and other vendors release their security patches to the world. This is a way to ensure that IT teams can be ready for patches, create testing standards, and ensure that devices are receiving patches on a regular cycle. Patches released outside of this schedule are known as “out of band patches”.
Earlier this week, many Outlook users clocked in for their shift only to discover their emails were down. It would crash shortly after opening and the only option to use Outlook was to login into their webmail.
Microsoft released a wide variety of updates, including a bad one within Windows. This type of incident is relatively rare with Microsoft, but it gives us a great opportunity to evaluate our patching policies and maybe choose a different strategy as needed. They were able to identify the issue within a few hours and push out a remediating patch a few hours later.
For your reference, here is some information directly from Microsoft: Click Here
The speed of the fix was exceptional, but did it need to happen?
The short answer: YES. Rapid patching is critical to a computer network. Here’s why:
Within seconds of any vendor releasing a patch, criminals are working to decompile and understand what was fixed to exploit un-patched computers. In the past, this used take months. Now, it is common to see an active exploit within a couple of days to weeks. That means that every day the patch is not applied to a system, the risk to that system increases at an exponential rate. Having an unpatched system could lead to significant damages to your business.
Here are a few best practices that will help protect you and your business:
- Patch a testing environment and test all business applications thoroughly for functionality and security.
- Release the patch to a handful of users with a high-level of computer skills, or with lower business impact. This will lower the risks in the event of a failed machine. Evaluate the results before proceeding.
- Patch a larger group of users with medium-skills or medium risk computers. Evaluate again for any issues.
- Finally, patch the remaining machines and monitor for any issues.
Most businesses do not have the time, expertise, and resources to realize this practice, and would typically delay patching until they noticed an issue. With the wide adoption of Windows 10, we have seen Microsoft automatically create a patch policy for users that has the computer download updates as soon as they are made available.
An available option to the average business to balance the risks of vulnerabilities and the risk of a broken patch is this:
Approve security patches immediately to help keep the computers as secure as possible. Then, hold on to any remaining patches for a short time. This gives Microsoft a chance to respond to any issues the patches created, release the improved patch, and reduce the impact of a bad update to your business.