According to leading patch management vendors only 14% of patches apply to Microsoft technologies. The remainder are attributed to other technologies installed on devices. Patch management aids in reducing the vulnerabilities experienced, the aim is to maintain the security of computers.
However patch management is also the cause of frustration for many of us, most feel that patches seem to cause more hassle than good some of the time. Patching should be encouraged as the practice is vital in keeping OS and applications secure and up-to-date.
In this article we will look at ways to achieve an effective Patch Management System whereby the advantageous results of patching can be achieved and the frustration alleviated where possible.
Network and computer security is more crucial than ever, patching forms a key part. An effective Patch Management System will not only fend off malware and worms but also alleviate the frustration sometimes caused as a consequence of patching. Patching may also be a requirement for compliance, many organisations are required to have a Patch Management System in place to maintain compliance with certain regulations and standards such as ISO 27001 and ISO 270012.
When undertaking patching correctly we expect patching to reduce vulnerabilities, improve performance, improve usability and assist in achieving compliance, however this is not always the only outcome and is the cause of frustration for many of us, one vulnerability is ‘patched’ yet we are left with other problems to rectify. The key to mitigating this problem is patch testing before applying the patch to live systems, a practice not often seen in the industry.
Patch management is necessary, and if applied correctly it is highly beneficial however patches are also the cause of conflict with other software and hardware within our system environment and are responsible for creating new problems that were not present before the patching.
Patches, additional code for replacing flaws in existing software, usually fall within the following categories:
- Binary Executable Patch – executable files that modify or replace files when executed
- Source Code Patch – source code modification
- Service Pack – significantly change a program
- Firmware Patch – update internal control of hardware devices
Patch management should be a proactive strategic and planned process to determine the application of patches needed to specified systems at a specified time. Without an effective patch management system in place, organisations are not effectively managing security quality and risk.
Challenges hindering effective patch management
- Patch volume, the volume of security patches is enormous with thousands of products continually proving to have vulnerabilities.
- Increasing amounts of applications and utilities that we all use increases the surface area for attack.
- Lack of standardisation and accreditation within the organisation for systems.
- Not having a Policy for Patching in place, demarcating the procedures, roles and responsibilities.
- Tracking relevant patches and maintaining a risk assessment is quite challenging in itself.
- Available resources and time.
- Increase in Mobile computing makes patching challenging.
- Proper reporting on risk areas is demanding as collecting the data proves difficult.
- Poor software management, variations in deployed versions of software. Keep your software up to date and remove older versions.
- No automation in place for maintaining patch management in a consistent manner.
Benefits of an effective patch management system
- Increased productivity – Reduced downtime from malware issues.
- Increase in performance.
- Security – Lower rates of virus infections, malicious attacks, and data theft or loss and legal penalties.
- Compliance – This is a major concern for many organisations. Maintaining compliance is essential and one of the requirements is to ensure security through maintaining patching. Failure to comply can incur serious consequences for many organisations from legal and financial penalties or even closure. An Automated patch management system can assist in keeping your environment patched at all times.
- Fewer resources spent on fixing devices, as patches can solve inherent problems.
- Increased productivity within the IT department – manual patching requires a lot of IT resources and time. Through automation IT resources can be used elsewhere.
- Cost savings.
- Patches may extend software to supply new features and functionality or additional support. This would be advantageous for organisations.
Steps to achieving an effective patch management system
- Devise a Patch policy for your organisation
For the policy to be effective it should include the following:
- Scope describing what should be patched (this is determined through data type, asset value, location and organisation objectives).
- Agreed timings for when updates or patches should be applied.
- A patch exclusion procedure and who is responsible for authorising this, the exclusions should be tractable at all times.
- Up to date and maintained Asset Inventory Management. Automated scanning of installed programs and binary files is recommended to assess where patching is necessary.
- Demarcate responsibility for identifying and distributing patches within the organisation
The responsibility of this team will include:
- Managing risk through patching procedures.
- Inventory the organisations resources, identifying hardware, operating systems, and applications in use within the organisation and identifying which are in need of patching.
- Keep attentive with security feedback regarding patch release and corrective measures and procedures.
- Assess vulnerability, risk and impact assessment and prioritise corrective measures accordingly in a planned manner.
- Make sure procedures exist with regards to corrective measures that they are maintained and can be applied through the organisation.
- Do patch testing on systems with standardised configuration as this is a means to keeping a control.
- Ensure that you test the patch in a controlled environment to ensure the patch is not the cause of conflict with applications within your organisation before full deployment. It’s important to rule out conflicting behaviour to avoid frustration at a later stage.
- Undertake a risk assessment associated with deploying the patches.
- Perform automated deployment of patches with the necessary tools and configure automated updates wherever possible and suitable.
- Patch verification and failure resolution
It’s important to verify that the patch has installed correctly after deployment. If the patch has failed to install correctly or fails to install, a resolution procedure should be in place to follow. Verification should always be commenced to ensure that the patch is present after installation.
It may be helpful to have a help desk in place for end-user support associated with patching.
- Use automation where possible and suitable
Automation is the route to sustainability, manual patching will not be effective for the long-term. Numerous tools will be required within the patch management repertoire of the organisation, no one tool will be efficient to cover everything. For effective automated patch management, caution should be taken to manage the tools so that further risks are not acquired through their use.
It’s also recommend to apply patches in phases.
- Database for corrective actions
This is necessary to keep track of corrective measures and patch exclusions. Over time this becomes challenging if you do not have some form of risk database in place to maintain control and track the correction actions that need to be applied.
- Manage the effectiveness of your Patch Management System
It is essential to validate the effectiveness of the Patch Management System in place and establish the current vulnerability state of the organisations systems. By gauging certain criteria, such as the maturity of the patch management system, cost involved to deploy the patch management system, compliance and risk, performance of the system can be measured.
It should be appreciated that this process is continually evolving, and will change as the Patch Management System matures.
This should be a continuous process and necessary changes should be considered if and when needed.
Without an automated patch management system in place, the likelihood of keeping up with effective patching is small to none. A Patch Management System will take a load off organisation resources and ensure security is maintained.
The importance of testing patches before patch deployment cannot be emphasised enough, patches break things, cause conflicts and create problems with other software, test environments should be mandatory.
Many people believe that the Microsoft recommended patches cover majority of vulnerabilities, however this is not the case, on the contrary the associated vulnerabilities are only a fraction of those we are likely to face on a daily basis. We cannot solely rely on those patches, updates and service packs supplied through Microsoft and assume all vulnerabilities are covered. Following this approach without thinking twice or testing prior to patching may be the cause of unnecessary frustration brought about by avoidable conflicts and breakages. Test before you patch.
We must remember that many applications exist outside of the operating system and they can contribute a large surface area of vulnerability.
Vulnerabilities in software will continue to be a risk factor and to remain secure, an effective patch management system is essential.