Which type of update should be prioritized even outside of a normal patching window?

September 21, 2017

In the wake of the recent Equifax data breach, as well as the WannaCry and Petya ransomware attacks, patch management should be high on your radar. Applying software updates and patches is a critical security precaution, as we detailed in our recent blog post, “Why Patch Management Matters Now More Than Ever.” But how should your organization prioritize patching in a multilayered approach to data safety?

Patch management involves appropriate planning, so you don’t introduce unintended problems. Here are five tips on how to apply and execute a patching program.

1. Apply patches regularly.

Popular applications such as Java, Adobe Flash, Adobe Acrobat, Microsoft applications and the Windows operating system need regular updates. You can handle this via Windows Update Services from a Microsoft server, or via another third-party application. For UNIX/Linux systems, you can use Chef, Puppet or a third-party tool like Lumension.

2. Rate your patching.

Look at the criticality of the patches to your business and operations. If you can’t patch an item, then you have to weigh the business risk of exploitation against the benefit of continuing to use the application. If there are patches available, consider the risk that the patch might break a process. Have a plan to revert if necessary.

3. Decommission older legacy systems.

Even if there’s only one legacy application that needs an older OS, plan to replace or migrate the host system. A vulnerable server could expose hundreds or thousands of passwords and be used to access and steal files from mapped drives.

4. Review custom and specialty applications.

If you use in-house created or customized applications from a vendor, find someone who can review the code for known vulnerabilities.

5. Harden the host operating systems.

Review and follow online guidance available for server operating systems:

Windows:https://technet.microsoft.com/en-us/library/cc526440.aspx

Linux/UNIX:https://www.sans.org/score/checklists/linux

MacOS:https://www.apple.com/support/security/guides/

Practical advice for organizations of all sizes

Large organizations first test new patches before committing them to systems that run critical business processes. Smaller organizations don’t have the resources, so the best advice is to back up your systems to prevent a patch from doing something that knocks a critical system offline or triggers a data loss. That means backing up not just the data, but the applications, so you can quickly restore the ability to access the data.

While a patch that corrupts something is uncommon, backing up the data is prudent (and a mandate, really) to protect against sudden hardware failures and all the other unforeseen events that jeopardize the continuity of the business.

How ESET can help

ESET offers a multi-platform patch management solution — Flexera Corporate Software Inspector — as part of our suite of security solutions for an adaptive security architecture. It gives you complete visibility over the patch status of your systems, provides guidance so your teams know what to patch and how, and covers more than 20,000 applications on Windows, MacOS and Red Hat Enterprise Linux. 

Portions of this post were adapted from “Vulnerabilities, exploits and patches,” by ESET Senior Research Fellow David Harley, published on our sister site WeLiveSecurity.

What is patch management?

Patch management is the process of distributing and applying updates to software. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software. 

Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a vulnerability is found after the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that assets in your environment are not susceptible to exploitation. 

This video covers the basics of patching, including what it is and why it is important. You’ll also learn about the common sources of patches—OS vendors, application vendors, and network equipment vendors—and how patch management tools such as BigFix and Microsoft SCCM can help you remediate vulnerabilities. For more details on patch management, its benefits and best practices, continue reading below. 

Why do we need patch management? 

Patch management is important for the following key reasons:

• Security: Patch management fixes vulnerabilities on your software and applications that are susceptible to cyber-attacks, helping your organization reduce its security risk. 
  
• System uptime: Patch management ensures your software and applications are kept up-to-date and run smoothly, supporting system uptime.  
  
• Compliance: With the continued rise in cyber-attacks, organizations are often required by regulatory bodies to maintain a certain level of compliance. Patch management is a necessary piece of adhering to compliance standards. 
  
• Feature improvements: Patch management can go beyond software bug fixes to also include feature/functionality updates. Patches can be critical to ensuring that you have the latest and greatest that a product has to offer. 
  

How your organization benefits from an efficient patch management program

Your company can benefit from patch management in a variety of ways:

• A more secure environment: When you’re regularly patching vulnerabilities, you’re helping to manage and reduce the risk that exists in your environment. This helps protect your organization from potential security breaches.
  
• Happy customers: If your organization sells a product or service that requires customers to use your technology, you know how important it is that the technology actually works. Patch management is the process of fixing software bugs, which helps keep your systems up and running. 
  
• No unnecessary fines: If your organization is not patching and, therefore, not meeting compliance standards, you could be hit with some monetary fines from regulatory bodies. Successful patch management ensures that you are in compliance. 
  
• Continued product innovation: You can implement patches to update your technology with improved features and functionality. This can provide your organization with a way to deploy your latest innovations to your software at scale. 

The patch management process

It would be a poor strategy to just install new patches the second they become available for all assets in your organization's inventory without considering the impact. Instead, a more strategic approach should be taken. Patch management should be implemented with a detailed, organizational process that is both cost-effective and security-focused.  

Key steps to the patch management process include:

1. Develop an up-to-date inventory of all your production systems: Whether this be on a quarterly or monthly basis, this is the only way to truly monitor what assets exist in your ecosystem. Through diligent asset management, you’ll have an informed view of operating systems, version types, and IP addresses that exist, along with their geographic locations and organizational “owners.” As a general rule, the more frequently you maintain your asset inventory, the more informed you're going to be.
   
2. Devise a plan for standardizing systems and operating systems to the same version type: Although difficult to execute on, standardizing your asset inventory makes patching faster and more efficient. You’ll want to standardize your assets down to a manageable number so that you can accelerate your remediation process as new patches are released. This will help save both you and technical teams time spent remediating.
   
3. Make a list of all security controls that are in place within your organization: Keep track of your firewalls, antivirus, and vulnerability management tool. You’ll want to know where these are sitting, what they’re protecting, and which assets are associated with them. 
   
4. Compare reported vulnerabilities against your inventory: Using your vulnerability management tool to assess which vulnerabilities exist for which assets in your ecosystem is going to help you understand your security risk as an organization. 
   
5. Classify the risk: Through vulnerability management tools you can easily manage which assets you consider to be critical to your organization and, therefore, prioritize what needs to be remediated accordingly.
   
6. TEST! Apply the patches to a representative sample of assets in your lab environment. Stress test the machines to ensure that the patches will not cause issues in your production environment.
   
7. Apply the patches: Once you’ve prioritized what needs to be remediated first, start patching to actually reduce the risk in your environment. More advanced vulnerability management tools also offer the ability to automate the time-consuming parts of the patching process. Consider rolling the patches out to batches of assets; although you already tested in your lab environment (you did do that right!?) there may still be unexpected results in production. Dip a few toes in before jumping in all the way to make there won’t be any widespread issues.
   
8. Track your progress: Reassess your assets to ensure patching was successful. 

Patch management best practices

Some best practices to keep in mind when implementing patch management include: 

• Set clear expectations and hold teams accountable: Leveraging organizational agreements, such as service-level agreements, can keep teams in check, and ensure that the work of reducing risk is actually being done.
  
• Work collaboratively with technical teams to ensure a common language: Security teams often refer to software errors as a “risk,” whereas IT/DevOps teams may use the term “patch.” Making sure that everyone is on the same page and recognizes the importance of patching is key to a successful patch management process. 
  
• Establish a disaster recovery process: In case your patch management process does fail and causes issues, it’s always a good idea to have a backup plan.  

Embedding patch management into your vulnerability management efforts

Patch management is a vital part of every vulnerability management program. However, having a consistent approach to patch management doesn’t always mean slapping a fix on everything in sight. When a vulnerability is identified, you essentially have three options:

1. Install a patch for the vulnerability, if available, to fix the issue.
   
2. Implement compensating controls so the vulnerability is mitigated without being fully patched. This route is common when a proper fix or patch is not yet available, and can be used to buy time before eventual remediation.
   
3. Accept the risk posed by that vulnerability and do nothing.
   

It’s up to organizations to decide which option is best for them in specific situations, though patching is the ideal treatment to ultimately strive for.

The terms “patch management” and “vulnerability management” are sometimes used interchangeably, but it is important to understand the difference. Though both strategies aim to mitigate risk, patch management (the process of managing software updates) is limited in scope. To gain a deeper understanding of your environment and make informed, impactful decisions, you need to move to a more holistic approach through vulnerability management. Vulnerability management is a continuous process of identifying, prioritizing, remediating, and reporting on security vulnerabilities in systems and the software that runs on them.

Patch management is a critical component of vulnerability management, but it’s just one piece of the puzzle. To successfully embed patch management into your vulnerability management program, the following steps should be implemented:

1. Establish asset management. Your ability to reduce risk is only as good as the visibility you have into your environment. An asset management solution helps you gain a full understanding of the assets you have and the vulnerabilities associated with each asset. With that knowledge, you are equipped to prioritize vulnerabilities, remediate issues, and communicate effectively with stakeholders.
2. Prioritize vulnerabilities. With limited time and resources and an ever-changing threat landscape, it’s unrealistic to think that you can fix every vulnerability as soon as it appears. Consequently, prioritization is one of the most critical aspects of vulnerability management.
3. Remediate vulnerabilities to reduce risk. Identifying and prioritizing vulnerabilities is important, but you’re not actually reducing risk unless you’re remediating the issues.
4. Measure the success of your vulnerability management program. No matter how many fancy features a vulnerability management solution has, it’s only worth the investment if it meets your organization’s unique needs and adds value for you and your team. To determine if you’re achieving a good ROI—and justify the purchase to senior leadership—you’ll have to determine how to measure success.
5. Develop partnerships and support. When something goes wrong, you want to know you have a team of people you can rely on to help troubleshoot.

Which of the following would be considered a secure protocol to use to reach your network?

Which Microsoft tool can be used to review a system's security configuration against recommended settings quizlet?

What name do we give to attacks that occur before a patch is available?

In which milestone should you use a network scanner and then confirm?