Security Patches in Your Business: Complying with PCI Requirement 6.1

Learn why it’s important to update your software and install security patches.

When it comes to security, even the best and most secure software can have vulnerabilities, eventually. Hackers have a lot of time to try and find holes in security. Thankfully, when a vulnerability is discovered, researchers and developers of the affected software and/or code do their best to come up with security patches and updates to combat that vulnerability.‍

See also: PCI Requirement 6: Updating Your Systems

Unfortunately, many businesses don’t often update their software and applications when it’s needed. Why? Some reasons include:

• It takes time
• They aren’t aware of the update
• They don’t see it as necessary
• The equipment doesn’t support the update.

But with the rise in data breaches, it’s important to your business’s security that you update your
software and applications regularly.‍

See also: How Long are Businesses Vulnerable Before a Security Breach?

What are Security Patches?

This is where patching comes in. Security patches are pieces of software or code that help rectify a vulnerability the software/code may have.

For example, the DLL hijacking vulnerability allowed cybercriminals to include files that Microsoft automatically opened in the folder related to MS Office documents. This “feature” allowed the execution of malicious software. I used this as part of my penetration testing to check if users would open files on an unknown USB drive found in the parking lot. Microsoft eventually patched this flaw that affected all versions of windows.

Patches can be distributed two ways, as a source code, or as an executable file. Source code is a common way to apply updates, but requires a recompiling program, while patches for proprietary software are often distributed as executable files. Most systems and applications have a utility that facilitates checking for and applying updates.

Some companies regularly release security patches and updates for their software. Microsoft releases these patches every 2nd Tuesday of the month, coining the term, “Patch Tuesday.”‍

Why should I update software?‍

PCI requirement 6.1 states that merchants must “deploy critical patches within a month of release” to maintain compliance.

Compare your business to the human body. If your body has an open cut or scrape and isn’t covered up or disinfected, bacteria could get in. If they do get in your body, they can wreak havoc on your system. It’s the same with your business. Having a vulnerability in your software may not do much damage itself, but it could lead to something far worse.

Just like you should clean and cover your cuts, you’re responsible for patching your business’s security where needed.

Technology is constantly changing. And alongside it, data thieves are coming up with new techniques to find and exploit vulnerabilities in software. No matter how secure your software may be, over time, a vulnerability will arise that can be a cybercriminal’s gateway into your business.

See also: A Hacking Scenario: How Hackers Choose Their Victims‍

Patch management and PCI requirement 6.1 tips

It can be difficult to keep track of what software needs updating and what patches have been released. Here are some basic steps you can use to perform patch management.

1. Get the notification from vendors and third-party organizations on new updates and patches.
2. Do a risk analysis to see if this update applies to your business.
3. Come up with a plan to install the security patch.
4. Test the security patch before you implement it. Make sure the patched software is working properly.
5. Install the security patch in your business environment
6. Make sure the patch is properly installed and the systems still perform properly. Sometimes patches can cause other systems to stop working, especially if they’re installed incorrectly.
7. Update all your documents to include any changes made or patches installed.

Some additional tips to updating software include:

• Get on your vendor’s patch/upgrade list: You can’t update anything if you don’t know about it. Most software vendors have a patch/upgrade email list. Ask them to put you on it to stay current on patches.
• Establish a schedule: For some software, it may be easier to update it on a regular basis. Make a schedule that outlines when and how you’ll install updates.
• Update within 24 hours of patch being released: the longer you wait to update, the longer your business is vulnerable.
• Do vulnerability scanning to find security holes: by scanning your software regularly, you can find vulnerabilities that need to be patched.‍

‍Need an Approved Scanning Vendor? Talk to us!‍

No matter how you do it, you should be vigilant about updating the software associated with your system. Make sure your business doesn’t suffer a breach simply because your software wasn’t up to date.