Patch Management

Six steps for security patch management best practices

 Most successful computer attacks exploit well-known vulnerabilities, for which patches exist. The problem is that hundreds of patches are released each month, many of which apply to Operating Systems(OS) and Applications residing in your organization’s network. How do you know which patches to install, and which to ignore? And what’s the proper order and process for installing them?

The importance of each stage of the patch process–and the amount of time and resources you should spend on it–will depend on your organization’s infrastructure, requirements and overall security posture.

Step 2: Devise a plan for standardizing production systems to the same version of OS and application software. The smaller the number of versions you have running, the easier your job will be later.

Step 4: Compare reported vulnerabilities against your inventory/control list. There are two key components to this. First, you need a reliable system for collecting vulnerability alerts. And second, you need to separate the vulnerabilities that affect your systems from those that don’t. Some companies have staff dedicated to managing this process; others use vulnerability reporting services.

Step 5: Classify the risk. Assess the vulnerability and likelihood of an attack in your environment. Perhaps some of your servers are vulnerable, but none of them is mission-critical. Perhaps your firewall already blocks the service exploited by the vulnerability. In general, to classify and prioritize the risk, consider three factors: the severity of the threat (the likelihood of it impacting your environment, given its global distribution and your inventory/control list); the level of vulnerability (e.g., is the affected system inside or outside perimeter firewalls?); and the cost of mitigation and/or recovery.

Step 6: Apply the patch! OK, so now you have an updated inventory of systems, a list of controls, a system for collecting and analyzing vulnerability alerts and a risk classification system. You’ve determined which patches you need to install. Now comes the hard part: deploying them without disrupting up-time or production. Fear not, there are several tools that can help you with the actual patch process (see Resources, below). Evaluate these tools in terms of how well they fit your environment and budget. In some cases, manual patch maintenance may be more cost-effective. But in most cases–particularly for multiple servers or server farms distributed across multiple locations–some type of automated patch system will more than pay for itself.

Vulnerability and patch management isn’t easy. In fact, in today’s computing environment, it’s a never-ending cycle. But by following these general steps, you’ll be way ahead of the curve when the next worm comes knocking at your network door.