Avoiding Hackers – When is the best time to patch?

08/02/2017  -  3.22

Tony Proctor - Principal Lectuer, Consultant and Information Security Researcher

Many of the data breaches that occur could be easily avoided. This is because often, a weakness (vulnerability) in a program is identified and the vendor produces an update to mitigate the vulnerability, but it fails to be installed by the user(s).

Frequently these updates have been available for months before the breach occurs.

So what is preventing these patches from being installed?

As a single user, some patching has been made much easier for us; operating systems can be set to automatically update (for example windows on patch Tuesday) and there are some user applications that will also do this. But for an organisation, the situation is not quite so straightforward and there is normally a delay while the patch is tested to make sure that it does not have any unexpected consequences. However, this should take no more than a week.

Having reviewed a number of situations where the failure to apply patches has resulted in an incident I can say that these are primarily where the users did not know that a patch was available, where there is no system maintenance programme, because a particular system is maintained by a third party, where older (legacy) systems are in use and there is either a concern about compatibility / no patch available as the system is no longer supported or (less commonly) where there is oversight.

So, (with a caveat that organisations do need to test patches adequately before applying them) the best time to patch is now and that includes operating systems and applications.

Tony recently commented on the topic of website hackers and cyber security in the region's local newspaper, the Express & Star.