Business & Technology

The Art of War (and Patch Management)

By Carl Windsor | February 23, 2022

With escalating tensions in Ukraine and threats of nation-state attacks, it is worth noting that modern warfare is no longer only based on traditional ground, air, or sea assaults, but it has progressed to the point where cyber attacks are a common part of the offensive arsenal.  They are commonly made on the financial, government, and communications of target countries in order to destabilize the country’s critical infrastructure and delay any required response to an attack.

Even if you are not directly in the line of fire, it is a timely reminder during these concerning times that we all need to be taking our cybersecurity more seriously. This is a sentiment echoed by Department of Justice (DoJ) official Deputy Attorney General Lisa Monaco in remarks at the Munich Cybersecurity Conference

"Given the very high tensions that we are experiencing, companies of any size and of all sizes would be foolish not to be preparing right now as we speak -- to increase their defenses, to do things like patching, to heighten their alert systems, to be monitoring in real-time their cybersecurity. They need to be as we say, 'shields up' and to be really on the most heightened level of alert that they can be and taking all necessary precautions."

Why do we even need to say this?

Anyone who has been keeping up with Fortinet blogs is aware that we have been saying this for some time, Prioritizing Patching is Essential for Network Integrity.  We are dealing from the fallout of some customers not patching. It has caused an ongoing news cycle related to an SSL-VPN issue resolved back in 2019, which remains unpatched for some customers. If you take nothing else away from this blog, check that you have taken action to remediate this issue.

Given that some organizations are not always taking action to patch, how can we better understand the reasons why, so that we can help to change this behavior? Human psychology gives us some useful clues as to why this is the case. 

Hyperbolic discounting is a cognitive bias that refers to the inclination to choose immediate rewards over rewards that come later in the future, even when these immediate rewards are smaller. This is most clearly demonstrated by the phrase: “A bird in the hand is worth two in the bush.”

In cybersecurity terms: I will continue working on a time-sensitive project that my boss is chasing rather than patching systems against a cybersecurity issue that might never happen, thinking “maybe we’ll get lucky and nobody will attack us.”

The situation in Ukraine and the warning from DoJ Official Lisa Monaco demonstrates we should not be taking this lightly but we need to change human nature if we want to succeed in prioritizing patch management. To do this, we need to give people an instant payback. 

Removing Cognitive Bias

This is where the Security Rating Service comes into play helping to remove this cognitive bias. It gives customers immediate feedback that the actions they are taking have an impact on the security of their systems. While this has been available for some time, in the coming months we will push this to the next level and will include patching (or lack of) into the rating. We will also provide a roll-up report in FortiCare to help encourage this process even further.

Fig. 1. Example of FortiCare Platform Capabilities

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.