Skip to main content
it helpdesk support

Developing a Good Patch Management Strategy

Developing a Good Patch Management Strategy

March 20, 2015
Posted by: Chris Every

Recently, the IT Department in many organizations have struggled to keep up with the ever increasing onslaught of new vulnerabilities. In 2014 alone, there were 7,038 new security vulnerabilities reported and added to the National Vulnerability Database, with approximately 83% of these being reported vulnerabilities in third-party applications (i.e. Not Operating System or Hardware). There has been a trend that’s steadily been increasing over the past four years and it doesn’t appear to show any signs of slowing down. According to an analysis report by GFI Software, an average of 19 security vulnerabilities were reported every day in 2014.

Source: GFI

IT Admins, in particular the Info Security folks, are seeing these vulnerabilities being exploited at faster than ever paces, sometime almost immediately after a new vulnerability is reported. That because hackers are collaborating more and developing multiple variants of any exploit as soon as a new vulnerability is found.

Operating Systems with the most security vulnerabilities in 2014

At first, you might be thinking that these vulnerabilities are only found in Microsoft products, but that is not the case at all. In fact, Windows didn’t even make it to the top three in terms of number of vulnerabilities. Apple and Linux administrators had the toughest year in 2014 from a security point of view. Some of the most critical security issues reported in 2014 directly affected Linux systems such as the infamous Shellshock and Heartbleed. Whether you release it or not, many organizations are using a flavor of Linux (and other open-source software) either installed on servers or built into an installed appliance that unfortunately more often than not go unmanaged.

Top applications by vulnerabilities reported in 2014

Before we get too ahead of ourselves, Microsoft didn’t go completely unscathed. Microsoft Internet Explorer had the top number of application security vulnerabilities for 2014; nearly twice as much as Google Chrome which took second place. Web browsers continue to have the most security flaws and are a popular method to spread maleware to clients when they access an infected server. Behind web browser, Java and Adobe’s free products (Flash Player, Reader, Shockwave Player, AIR) are a major challenge to keep up-to-date.

How to respond to growing number of threats

Wow! That sounds pretty scary!? Well before you go unplugging and dismantling you’re whole IT infrastructure, allow me to tell you that there is hope and these threats can almost be complete neutralized if you take patch and vulnerability management seriously.

What!?! Installing patches? That seems rather dangerous, doesn’t it? And that sounds like a lot of boring and cumbersome work! Well, not necessarily. With the right tools and developing a good patch and vulnerability management plan that fits with your overall IT Security Strategy, you can mitigate these threats without too much hassle and save your organization from loss productivity, or even worse sensitive corporate and/or customer data losses. Let’s go over some of the basics of a good patch/vulnerability strategy!

Best Practices

Before any organization comes to terms with patch and vulnerability management, it’s important that they assess the possible risk areas of the network and rate them on a scale of severity. IT Admins should know what are the potential vulnerabilities are, where they exist, what would be impacted if that vulnerability was exploited, and recognize how important it is to the business that they are fixed. This usually means an in depth discovery and study of all company IT assets.

If you can identify which systems are mission critical, which should be patched first and which need constant patch maintenance then “Good Job!” you’re already on your way to managing the threats on your network. If not, well then you have some homework to do.

I’ll admit that applying patches does carry some amount of risks of causing some disruption to business services; you usually have to restart servers and/or applications after a patch is applied. Also applying a patch that does not suit the environment can result in a critical server/service failure, or even possible loss of critical data. The trick is to make sure that you FIRST have a backup strategy in place and make sure that you TEST that plan and improve on it before you really start patching everything you manage. Backups are your first and last line of defense when things go horribly wrong. If your organization is running on a virtual environment, then snapshots can further assist you with being able to apply patches, and quickly roll back to a saved state in the rare event that a disaster is caused by a flawed patch. Just remember, snapshots are no substitute for a real backup strategy.

For most businesses, even those with security patch management solutions in place, patching anything and everything straight away is not an option. Regular maintenance should be carried out by IT Admins in way that they deploy monthly updates in a timely manner but are still able to cope with any issues which may arise during the patching process. Therefore, it’s important for an organization to prioritize the deployment of patches. Whether the approach is to first deal with the systems that are most prone to attack or hacking such as web servers, email systems, and other critical business applications or to pilot patches on less critical systems, there really isn’t a wrong way in the order you choose to do them. It’s important that you also factor in the timing of the maintenance, so that you’re not causing outages to users that rely on the servers you are patching, or interrupt other nightly processes that your organization needs such as daily reports generated overnight, backups (Did I mention how important backups were?), data transfers, etc.

Patch Deployment

To keep systems secure, it is critical that they are fully patched. IT Admins should be concerned and focused on patching these items first and foremost:

  • Operating systems (Windows, Linux, OS X)
  • Web browsers
  • Java
  • Adobe free products (Flash Player, Reader, Shockwave Player, AIR).

Based on Best Practices, a staged deployment of patches which employs an iterative test-deploy cycle that is used on several increasing large or critical sets of servers or desktops are essential and allow organizations to implement testing and take full advantage of accelerated and automated deployments.

With your strategy in place, your patch management solution (GFI, Symantec, WSUS, SCCM, etc.) should be able to manage the bulk of the patching process for you. I’ve found that the combination of manual testing and employing multiple patch and vulnerability management tools is the best approach to effectively identifying vulnerabilities and distribute patches that using just a single tool would miss.

There are a several benefits to using a patch management solution, the most pronounced is that it allows your IT Staff to make patching an integral part of their overall security management strategy. It also provides a single pane of glass for managing all or most products in an integrated security console and lessens the overall complexity and cost associated with the enormous task of regular patch remediation. Some patch and vulnerability management solution vendors will also test and authenticate patches before making them available, which helps reduce the IT workload even more. Finally, a good patch management solution is also what alleviates the need for a panic reaction to address the latest vulnerability or maleware, which could lead to a time consuming ad-hoc approach to patching your systems.

Conclusion

Any organization, big or small, that invests in any amount of network and computer systems could find their systems rendered useless if they are not maintained and patched effectively. Hackers never cease in creating new worms, viruses, and spyware. They exploit known vulnerabilities on unpatched systems that results in costly downtime, and often a considerable amount of administrative resources and expenses to recover. Patching is only one part of an overall security strategy, but it makes a significant contribution to reducing network vulnerabilities and preventing attacks. When patching is done using a set of correct procedures and process, organizations can make sure that they are less likely to fall victim to an attack and ensure that they can continue business as usual.

 


About the Author

Infrastructure Engineer, Endurance IT

We'll take care of every detail.

Even if you don't know exactly what you need, our experts make it easy to talk about your project and work out the requirements. We'll quickly help frame it up and add some structure so it can be properly estimated and ultimately developed and delivered.