CISO diaries: Why Patch Tuesday is a CISO’s best friend

By Kevin Reed, Chief Information Security Officer, Acronis

The second Tuesday of every month is a day that should be marked on every cybersecurity professional’s calendar, as it marks Patch Tuesday. Patch Tuesday was started by Microsoft back in the Windows 98 era and brings monthly updates and a periodic glance at some of the biggest security exploits and vulnerabilities blighting our modern digital landscape. As Chief Information Security Officer (CISO), this is a fantastic opportunity for my team and I to calibrate our defenses and keep our fingers on the pulse of the cybersecurity industry.

Each month, Patch Tuesday — which begins at 10:00 a.m. PST — introduces several patches our team must implement. In order to ensure ample time to implement these patches, I recommend other CISOs clear their teams’ schedules the Wednesday and Thursday following each Patch Tuesday. However, these couple of days after the patching also create a malicious “golden 72 hours” in which cybercriminals can analyze and deconstruct the published fixes to create vulnerabilities. Unfortunately, the 72nd hour also conveniently falls on a Friday, enabling bad-faith actors to launch attacks while IT teams return home for the weekend. This is one of the negative security implications of the patch, which although it helps with improving the overall health of platforms and systems, it simultaneously creates new opportunities for cyberterrorists. Thus, it’s imperative for the health of your company to keep the days following Patch Tuesday open for updates and patches to keep your organization one step ahead of bad actors.

At Acronis, we have dedicated personnel within our security team who are responsible for risk assessment. These professionals scan a huge number of machines for vulnerabilities — requiring impeccable prioritization on my side, with charts being created by those team members in charge — to keep things organized. If you adopt this tactic in your organization, I highly suggest rotating these team members monthly. Also, if you choose to diversify your systems, be ready to patch all of these systems one day.  

Last week, a batch of fixes for vulnerabilities in various Microsoft products were revealed. Among those was a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) exploited in the wild a few months ago (Microsoft released a workaround but it took them quite some time to publish a proper fix); a particularly nasty set of vulnerabilities in the Exchange Server and a remote code execution (RCE) vulnerability in their Point-to-Point Tunneling Protocol (PPTP). The total number of RCE vulnerabilities fixed this time was 31, which set a new record.  We utilize several of these products at Acronis, with some even connected to the internet.  When we’re made aware of these vulnerabilities, we check for exposure and sensitivity and then prioritize our vulnerability patching based on factors like internet exposure and the sensitivity of the data managed by the vulnerable system.

As a global company, we are unfortunately unable to reboot without affecting working hours somewhere in the world. We do the best we can to make sure workloads are affected as little as possible during these reboots; but inconveniencing a few team members is a sacrifice we have chosen to make to keep our systems — and team members — safe and secure. As a CISO, I understand that occasional downtime is inevitable, and make accommodations with C-suite members to allow leniency with deadlines and other expectations during these unavoidable occurrences. Of course, I also give a heads up to those who will be affected during the downtime.

Vendors should also agree to prioritize Patch Tuesday each month as it reduces the load on IT teams and makes it easier for them to patch vulnerabilities and focus on other priorities for the rest of the month. However, to do this, you’ll need to rely on something that can assist with software inventory — such as an Acronis agent, or other available tools.

On Tuesday, August 9th, Adobe Acrobat Reader vulnerabilities were revealed, with patches rolled out to fix two critical security vulnerabilities. Such vulnerabilities are less of a problem for us at Acronis, as our automation software is effective in implementing these patches; but for organizations that do NOT have available third-party help with automation, it creates a big problem that requires manual patching. Again, being prepared for vulnerabilities by applying frequent patches and equipping your organization with the proper tools are the best ways to reduce downtime and keep the headaches out of periodic patching and system updates.

Ultimately, Patch Tuesday is one of the best tools available to keep your cyberdefenses updated and secure. This unofficial, time-tested tradition allows CISOs and their teams to schedule maintenance and downtime while keeping disruption to both their companies and systems to a minimum. By taking precautions and preparing for Patch Tuesday every month, your systems will stay healthy and safe, while easing potential anxieties related to keeping infrastructure constantly updated and patched.

Cyber protection agents such as Acronis Cyber Protect can help keep your systems automated and make Patch Tuesday run even more smoothly every month. Just remember to be mindful of the “golden 72 hours” and get your systems patched and ready by the weekend to stay ahead of attackers!