War is on.
Attacks are becoming more sophisticated, hackers are becoming smarter, and so should be the defenders.
The attacker eyeing your organization is looking for the misconfiguration that will let them in. So should you.
At Gytpol we are always on the lookout for these misconfigurations, as they could be exploited by threat actors resulting in a cyber-attack such as ransomware.
Common causes of misconfiguration are human error. This is where the IT practitioner either lacks the correct skills for the tasks at hand, or they falsely believe that the task has been completed correctly.
At Gytpol we frequently witness and report Software-update management mistakes. In this post we will cover some of the common ones, and how to find them.
Keeping your OS and other applications up to date with the latest patches is important to ensure you have all the critical updates to keep your environment secure.
Patch Tuesday is the name given to when Microsoft releases its Cumulative Updates (CU) which is typically the second Tuesday for each month (and sometimes the fourth Tuesday).
Most organizations will use the Microsoft SCCM tool to manage software updates. There are many great guides or online videos which can walk you through the steps to achieve this using the tool. The general process is:
- Sync software updates
- Create Software update group
- Create Software update package
- Deploy
If you are familiar with the process you will know there are many steps and configurations required to perform what appears a simple task.
However, there are two types of misconfigurations which can cause a security risk and act as an initial attack vector by hackers
- Not choosing all the required patch update packages. When using SCCM, you need to select all the relevant and required patch updates when creating the software update package. The long list of updates available covering all Microsoft products often results in confusion and not all the updates selected. We often speak with customers who believe they have correctly selected the right updates and their endpoints are up to date. Yet, when the endpoints are analyzed by Gytpol Validator, we will find this not to be the case.
- Workstations and Servers are not updating. Once the SCCM has successfully deployed the update package, the endpoints and servers will be triggered to perform the update. Not all endpoints & servers will receive the trigger message or are able to successfully perform the update. While there are retry mechanisms, some will end up not updated and this can continue from month to month. This scenario is becoming much more common in recent times especially with employees working from home and not using a VPN to connect to their organization’s network, which is required to receive the update.
To keep an organization secure, the IT and SecOp teams need to ensure all endpoints are patched and up to date. They need the visibility on the status of patch updates on all endpoints including those who are remote and not connected via a VPN.
Gytpol Validator is helping organizations overcome these two common misconfiguration scenarios.
Firstly, it monitors all workstations and servers in an organization and will identify & alert to IT Admins and SecOps when the baseline is out of date / missing critical patches. Secondly, it will also report which endpoints have not been updated and allowing remediation actions to be taken. Gytpol is constantly reporting the endpoint status, whether it’s connected to the network or working from home remotely.
