Patch Management - Who's Minding Your Network?

A patch is a piece of software designed to fix problems with, or update a computer program, operating system or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the overall usability and performance. Though meant to fix problems, poorly designed or improperly managed patches can sometimes introduce new problems.

Patch management is the process of using a strategy and plan of what patches should be applied to which systems at a specified time. The key works here are Process, Strategy and Plan. Without all of these in place you aren't performing patch management, you are simply installing (or not installing) patches without knowing what effect they will have on your network. A typical patch management strategy should look like this:

  • Detect. Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.
  • Assess. If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.
  • Acquire. If the vulnerability is not addressed by the security measures already in place, download the patch for testing.
  • Test. Install the patch on a test system to verify the ramifications of the update against your production configuration.
  • Deploy. Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.
  • Maintain. Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.

Unfortunately most businesses and even many IT Service Providers have no formal process for patch management.

A critical step in our process when we evaluate a company's IT infrastructure is a complete Network Assessment. One of the things we look at during this assessment is how the patches are being managed. The two most common methods we see are "download and install automatically" and "do not download or install patches and updates." Sometimes it is hard to determine which of the two methods is worse! 

Potential clients will often tell us they don't download the updates/patches because "everything worked fine when the server/workstations were setup so we don't want any changes". New bugs, threats and vulnerabilities are discovered everyday and applying patches and updates to protect against these is critical. Ignoring them and allowing your system to go unpatched is a recipe for disaster. We also have potential clients that simply allow updates to be installed at random, as they are made available. Doing this on a live system can often result in problems when patches do not install properly or worse, when a patch or update is not compatible with an application that you may be running or when servers reboot overnight during an update and fail to come back online in the morning.

Patch management is one of the most critical and most overlooked and misunderstood aspects of maintaining a stable network environment. Most Managed Service providers offer a basic patch management program as a stand alone option (as well as bundled with more complete services) that is very affordable. When properly performed, patch management will provide you with a safe, secure and stable network environment. We encourage all of our clients and potential clients to periodically evaluate their patch management process and make changes where they are needed.

No comments:

Post a Comment