Patch management in a work-at-home world

Patching software, especially when updates are delivered on a regular schedule, has gotten to be a much more routine and stress-free process in recent years. Now, the shift to so many employees working at home has thrown a monkey wrench into that smooth-running machine, but it still seems to be running well enough.

It's reasonable to suspect that recent changes, with tech companies and their customers working from home, would cause problems for the update process. I assumed as much in a story I wrote in mid-March, as the quarantines were beginning. Google had just announced a pause in Chrome and Chrome OS updates, and I jumped to a number of conclusions:

• Other software companies would follow suit.
• The risks associated with update problems had increased as a result of the quarantines.
• The work-at-home shift might slow the ability of software companies to create and deliver updates.

Patching goes on

I was wrong. Two days after announcing the pause, Google released an update to the Stable Channel for Chrome OS. Not long thereafter, Google officially unpaused and announced the state of its update schedule.

I saw no other large companies pause their own updates, and in fact, many issued out-of-band updates, including Microsoft, Adobe, and VMware. April's Microsoft Patch Tuesday proceeded on schedule, patching a robust 113 vulnerabilities total.

I was wrong for several reasons:

• The big software companies appear to be capable of functioning at normal capacity.
• Updates don't typically cause problems that would be worse in a work-at-home world.
• The risks of not releasing updates far outweighed any theoretical increase in risks from releasing them.

My real mistake was in not understanding the third point above intuitively. We have a long, well-understood history of what happens when software vulnerabilities are left unpatched. They leave you vulnerable to data breaches, theft, ransomware, and whatever other evil things criminals all over the world think up.

Patching: What has changed?

I spoke with Stephen Boyer, CTO and co-founder of BitSight, which provides security ratings services and analytics for cybersecurity risk management, about what software updates have changed for his clients in the work-at-home era.

Boyer says there are definitely new challenges to patching in a work-at-home world. The difficulty of those challenges depends on your circumstances and capabilities, so there may be no clear advice anyone can provide without knowing your situation. You'll have to figure it out.

For instance, if your employees don't all have company laptops, they're probably doing work on their own home PCs (and Macs). Your employees didn't choose to work at home, and if you're expecting them to use their own computers for work, you're going to have to have a lot of nerve to tell them what they can and can't run on their own computers.

Think about it—this is a hard problem, for several reasons:

• If you're going to stick to your vigilant security policies for employee personal equipment, you're going to need to manage those systems. Do you really want to go there?
• If you don't manage them, are you no longer in compliance with regulations for your business?
• Are they patched properly? If you're not managing the systems, how do you know if the OS, BIOS, and applications are up to date? Can you trust the employee to accurately and completely describe what they see on the screen to you?

If you have no choice but to have employees work on personal equipment, the minimum and perhaps the best you can do, is to tell them, in general terms, to follow best practices: Set the operating system and applications to auto-update; do not use default or weak passwords; if at all possible, do not do personal computing on the device used for work; and a dozen other things that one cannot reasonably expect non-technical employees to do.

Overloading company networks

It's normal for companies to issue software updates to end-user systems over the company LAN using WSUS (Windows Server Update Services) or a third-party equivalent. If all those end-user systems are at homes, then all those updates will be sent out through the company gateway onto the Internet. This may be expensive, and it may, periodically, hog bandwidth to the point that other necessary traffic is slowed.

Boyer says that this is a problem only if it's a problem, meaning that if you have the bandwidth, it's not a problem. If you don't have the bandwidth, you may have to resort to having users get updates from the vendors directly. There are theoretical problems with this, but in the current scheme of things, they are minor. Anything that slows down the application of security patches is a threat to be mitigated.

The same "it's a problem only if it's a problem" logic goes for your virtual private network. You'll probably find yourself with a sudden surge in usage of the VPN. Sometimes increasing capacity is just a matter of shelling out the money for it, and you certainly have the excuse. But can you afford to run on your VPN all the clients that were previously on your LAN? Likely not. You'll have to make the same kind of compromises, shifting, for example, some users of Office 365 off the VPN.

And do you run all your Windows Updates through the VPN on the second Tuesday of the month? Not likely.

When you shift the jargon of our current situation around a bit, the wildness of it becomes apparent. Some of Boyer's customers have 70,000 employees working at home. You can think of them as 70,000 branch office locations, with the attack surface of the company growing by many orders of magnitude. Suddenly the management problems look even worse and the threats scarier.

Boyer's financial services customers are especially concerned. Such companies typically have large numbers of employees who (normally) work only at the company location on company equipment. This makes it easier, maybe even possible, to enforce regulatory requirements. Now, the company has no choice but to have them work remotely. These companies are right to be concerned and are probably willing to throw whatever money they can at the problem to mitigate it.

Threat actors escalate

Government agencies and security vendors have recently reported a surge of security attacks, some scams related to the COVID crisis but also a lot more conventional attacks, such as malware, phishing, and vulnerability exploits.

An alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, Department of the Treasury, IRS, and Secret Service describes a wide range of COVID-related scams. A memo from NASA's CIO to his agency describes a doubling of phishing attempts against NASA—an "exponential increase in malware attacks on NASA systems"—and urges attentiveness to the problem.

The NASA CIO also recommends that users always be on the VPN when doing work. This is a good idea, but it raises the fact that malicious attacks on VPNs have been on the increase of late. It's worth double- or even triple-checking that your networks and clients are running the most up to date versions of your VPN's software and that if there are any unpatched problems, you have taken whatever mitigating actions you can.

This is why BitSight's Boyer stressed the need for multifactor authentication, especially on the VPN. The company's high value has made it a high-priority attack target, sometimes by phishing, sometimes through vulnerabilities in the VPN itself. If IT doesn't apply the latest update to the VPNs promptly, it leaves the company especially vulnerable.

The hybrid home/company network

Boyer emphasizes the low quality of security on home networks. It's common to find old equipment, no longer being updated by the vendor, and Wi-Fi networks and admin accounts with default passwords. Plus, virtually all the encryption used on home wireless networks is easily breakable.

One way to address this problem is to send the employee a separate wireless access point, preconfigured, perhaps even with a VPN in it. There are difficulties with this approach, though: Do you have 70,000 of them or however many you'll need? And can you expect your employees to connect them properly? Does the employee even have a free Ethernet port on their cable modem?

In fact, the average home network is no place to do secure computing. It doesn't have the right equipment, and the staff (probably the worker's teenager) lacks the experience and expertise.

One often hears about how hackers will gain a foothold on a corporate network and then move laterally, from system to system, across network segments, exploiting vulnerabilities and weak passwords along the way, looking for the really valuable assets. Imagine how much easier this is to do on the average home network.

Minimize the problems

For most companies, there is no practical way to maintain the same level of security with employees working at home as there was when they were working in the company's offices. The best you can hope for is to minimize the problem.

The one best guidance you can follow is to minimize the attack surface. In this context, the best remote access method is probably VDI (virtual desktop infrastructure) or some other terminal interface, combined with a client security agent that can do keylogging and screen scraping.

The VDI part is easy to deploy to just about any system, as the client programs are small and simple and there is usually a way to connect using a browser. The client agent could be trickier, especially if the home PC is already running security software. It would be better than nothing if the user's system is running a security client and that client is kept up to date, although you won't be managing or getting security events from that client.

Another way to minimize the attack surface is for the client system to always be on the company VPN.

What you can and can't do

If your users are running company-managed systems at home, you should be in good enough shape, as long as the users follow some common-sense precautions. Always be on the VPN, and don't do anything personal on the system that you wouldn't do for work. If, in spite of any security software, malware gets onto the system because the user was careless, there may be little the company can do to stop it.

If your users are doing company work on their own computers, there is a limit to how secure you can reasonably expect them to be. Actively managing employees' personal systems and supplying them with necessary security products is going to be too difficult and expensive. You may as well buy them a new PC and outfit it properly.

In the meantime, tell them to set everything to auto-update and urge them to follow all the other best practices. But you'll have to accept that employees computing at home, especially on their own equipment, is less secure than it is in the office.

Patching in a work-at-home world: Lessons for leaders

• Minimize the number of employees using personal equipment.
• Get as many at-home employees as possible on the VPN, and require two-factor authentication for the VPN.
• In the long term, plan for VDI over a VPN, with a strong endpoint security agent, as the remote access configuration for the company.

Related reading:

The state of patch management

How to keep up with open source updates

Welcome to the Windows 7 Extended Security Updates era