Enterprise Cybersecurity....Automate your Oracle Patching
Security at Speed
According to Verizon there was a security patch available within the past year for 99% of security breaches. Credit giant Equifax suffered one of the largest data breaches ever recorded because of a failure to apply patches. Deloitte sets out 14 costs associated with a cyber attack (Deloitte Report). The financial costs are wide ranging with longer term impacts that are much less obvious. This cost will be accelerated through the new European GDPR legislation.
CPU patches are also rigorously regression tested by Oracle which significantly reduces risk. (Ensuring Quality)
On May 25 th significant fines of up to 4% of turnover may be imposed on companies that delinquent in patch management. The statement issued by the UK regulator is displayed below:
Nigel Houlden, ICO Head of Technology, said:
"We are aware of reports detailing potentially significant flaws in a wide range of computer processors, which could affect various operating systems. We strongly recommend that organizations with affected hardware test and apply patches from suppliers as soon as they are released.
All organizations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation."
Department of Homeland Security
The US government also strongly advises that systems are patched frequently. (Read Here)
Maintain up-to-date software
The attack vectors frequently used by malicious actors such as email attachments compromised "watering hole" websites and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.
It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reversed engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.
The US government is keen to raise cyber security standards among private sector contractors. In fact policies strongly encourage automated patch management and it may become a pre-condition to award a contract. (NIST Compliance)
Information Security Standards
- Security Standard
- HMG InfoSec Standard No. 2
- ISO 27001
- ISO 27002
- Payment Card (PCI) Data Security Standard (DSS)
Other Benefits and Rationale
It is safer and cheaper in the long run to patch. The further you fall behind …
- The more work it requires to isolate and resolve issues
- The greater the chance of encountering an avoidable issue
- The greater the risk of upgrading from an untested configuration to a new version
- The greater the effort required to upgrade to new versions
- The greater the risk that you would not be able to get patches for your exiting configuration
Statement on Virtual Patching
We do not believe virtual patching (primarily firewalls) is a substitute for software based security updates. As an Oracle Partner we are committed to best practice compliance patching. Additionally such measures cannot be applied to Oracle Applications. Companies who advocate this approach normally do so because they want to assume support from Oracle and are unable to supply critical patch updates. (Read Oracle Statement)
Why Automate Deployment?
Aside from adding new features here are some reasons for automating your Oracle patching.
- Reduce Costs and Complexity
- Visibility over all your Oracle Databases and E-Business Suite Applications
- Patch and Deploy 24/7
- Meet Compliance Goals
- Proactive and Precise Reporting
- Future Proof your Oracle Investment with Ease