Depending on the complexity of your network it can be a challenge to keep up with the patches, recommended and required, that vendors issue on a regular basis. Some say the frequency of these patches are increasing due to the uptick in breaches and network attacks cybercriminals undertake.
Yet if a financial firm experiences a breach, and there was a patch available to prevent it, that could land the firm in a world of trouble. For example, Equifax’s breach, which exposed sensitive financial and other personal information of more than 140 million Americans, was caused by a lack of patch management. The firm recently came to a consent order, drawn up by eight states in the U.S., to prevent attack caused by insufficient patching.
What the FFIEC Says About Patch Management for Financial Firms
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance on how to handle patches, and it's a solid guide financial institutions would do well to follow when managing patches.
Here’s a breakdown of the instructions from the FFIEC and insights into how financial firms can implement these insights into their operations to ensure they don't land in hot water in the event of a breach.
- Develop automated communications with vendors. The FFIEC recommends signing up for email alerts vendors issue about the latest available patches. The organization also suggests proactively monitoring vendor websites to get patch-related information at once. One way to automate that is to set up a Google alert with the words, “Sophos patch update” for example. This way Google will automatically send you links to information Sophos publishes about patches on their site.
- Evaluate and document the impact of a patch. We know some patches may have negative effects on the network and possibly cause downtime or slowed response time for critical network functions that affect customer services. In these instances, the FFIEC recommends documenting any reasons you may have for not installing a patch, such as any “technical, business, or security implications” the patch may cause on your firm.
- Prioritize which patches are most important for network security. Depending on the size and complexity of your network, you could be managing hundreds of patches within a quarter. FFIEC recommends ranking which patches take precedence over others. Be sure to document your reasoning for this as well. It may come in handy should you have to justify your decision making in the event of a breach.
- Have a plan to roll back patches should problems arise. Sometimes, patches can cause unforeseen and undiscovered problems and its good to have a plan and know what your options are should you need to act. You could roll back patches manually by hand via the SystemRoot directory; but this will only work for one patch at one time, and you may get mixed results depending on what components where replaced by the patch rolled back. You can have plan to perform a system restore to restore settings to an earlier state; and while this can take a long time, it does ensure everything that went wrong in the update is rolled back. But once again, this is usually performed locally and requires many manual changes across a large network of devices. The best option may be to use a Third-party that handles and deploys your patches and has the resources to support rollbacks globally.
A few other considerations FFIEC shared:
- Remember to patch virtual environments.
- Patches should also be deployed in disaster recovery resources.
- Update the firm’s information assets such as any inventories of the technology you use along with the effect the patch may have on your disaster recovery protocols.
FFIEC puts a heavy emphasis on documentation of processes and protocols related to patch management for financial institutions. The key takeaway from their guidance is for financial institutions to create a ‘paper’ trail the organization can follow to show the logic and reasoning behind decisions related to patch management. There’s also an emphasis on proving your firm truly enacts the processes you’ve set forth.
5 Ways You Can Streamline Patch Management for Your Financial Institution Today
When implementing patches, some firms have found the cure is worse than the potential threat to the network. Patches have been shown to sometimes expose networks to more vulnerabilities than not. Take the Spectre-Meltdown side channel attacks we uncovered earlier this year. Some of the patches distributed by Microsoft opened up Windows 7 vulnerabilities and this required firms to install more patches to mitigate the risks they were exposed to from the initial patches.
Yet failing to install a critical patch can open your firm up to an Equifax-like data breach. To strike the right balance, consider:
- Ensure the patch comes from a trusted source. You can take care of this by prioritizing patches based on vendor or the most critical systems/software in your network.
- Verify the patch. You’ll want to put the patch through its paces before installing it by comparing cryptographic hashes. This reveals whether the patch has been altered since it was created by the original source.
- Monitor the system you use to manage patches. This helps you ensure that only authorized patches are installed.
- Deploy patches in a sandbox. Sandboxing isn’t necessary for all patches, but it’s essential for the software running critical parts of your network, especially those managing customer data. It’s really an issue of software compatibility and understanding how the upgrade will affect the other software you’re running.
- Test the patch in production. For patch production tests have a backup plan in case all of your precautions don’t work and the patch doesn’t play well with other software, or it takes your systems offline. It’s important to envision every possible scenario and prepare for the most challenging issues during the actual installation of the patch.
As you can see even with patch management software to assist you, running an effective patch management program that lines up with FFIEC guidelines can be complex and time-consuming. Consider working with a team of professionals who can safely and effectively manage patches on your behalf. At DataComm we have a bird’s eye view of the software and patches that affect your financial institution.
As we work with more firms like yours, we’ve developed a keen sense of which patches are the most important and how to integrate those patches into your operations, so it doesn’t negatively affect your network. What’s your biggest concern with patch management? Let’s discuss ways we can assist you with streamlining patch management for your financial institution.