Patch management is an important focus for any organization, but even when companies have the best intentions around patching, they often overlook a crucial area which can be rife with vulnerabilities. While operating systems are usually the focus of patching efforts, 3rd party software is a major source of vulnerabilities in any network: Over 75% of vulnerabilities on the average PC are due to 3rd party applications, and major data breaches including the Equifax hack were caused by unpatched vulnerabilities found in 3rd party software.
Vulnerabilities are frequently found in popular software including Chrome, Adobe, and Java, and these applications are an easy target for hackers due to their high market penetration and low patch rate. It has been found that 48% of Java users are running outdated versions, and 3rd party applications are twice as likely to be unpatched as Microsoft applications. The reason for this discrepancy is not that 3rd party software is inherently more difficult to patch than operating systems, but that each application is managed by a separate vendor, and there are few centralized systems that can patch 3rd party software from a single dashboard.
With a growth in cloud-based applications that can be installed by any employee, it is imperative that IT departments track and patch all 3rd party software on their network to avoid exploitable vulnerabilities. To do this, companies must adhere to the below best practices for patching 3rd party software:
Monitor 3rd Party Software Use: One of the reasons 3rd party software is left unpatched is due to a lack of visibility around which applications are present within a large network. Unauthorized applications are often installed without the knowledge of the IT department, and if left undiscovered there is no way to enforce patching. IT departments must take a regular inventory of the software installed on their network, either through manual checks, invoice tracking, or by installing an agent such as Automox which will automatically track 3rd party software and report on patch status for each device.
Scan for Vulnerabilities Regularly: Unlike Microsoft, which releases patches every 2nd Tuesday of the month, 3rd party vendors do not have a regular patch release schedule, and each vendor releases patches separately. The best way to ensure no patches are missed is to employ a cloud based automated patch management solution which removes the need to sort through patch releases and identify those needed for your organization. If you do not have an automated patch management solution, you should be scanning at least once a week for new patches that affect your network.
Apply Patches From a Central Location: A major contributor to the lack of 3rd party patching is the difficulty of managing patches across hundreds of vendors and thousands of devices, many remote. Manually patching all 3rd party vulnerabilities is an extremely time-consuming task, so organizations should look to one solution which, at a minimum, can centrally patch the most popular 3rd party applications including Java, Adobe Flash, Google Chrome, and Microsoft Office. Automox natively patches these 3rd party applications, and is regularly adding to the library of applications that can be patched through its cloud-based agent.
Utilize an Cloud Based Patching Solution: A cloud-based patch automation solution like Automox will handle 3rd party software tracking, vulnerability scanning, and application of patches for common operating systems and major 3rd party applications for you. Using cloud based automation removes the risk of human error or oversight in patch application and provides complete infrastructure visibility which is difficult to compile manually.
Click the link to learn more about Automox as your patching system of record. Or, if you want to see how Automox reduces your attack surface first hand, try it free for 15 days. No credit card, no endpoint limit, and no strings attached.