Patch Management is essential to your organisation’s security and productivity, but what exactly is patch management and why do you need a patch management strategy?
What is patching?
Similar to a medical patch, or plaster put on a cut to the skin to make it better, a software patch will correct errors in software code. These errors are sometimes called vulnerabilities or bugs and they can cause various issues with your servers and operating systems, but most seriously, if they are not patched, they can enable threat actors to exploit them, and therefore damage your business. Once a software vulnerability has been detected in firmware, operating systems or third-party applications they are published (often called a ‘known vulnerability’). Criminal hackers take advantage of these known vulnerabilities if they are not properly patched or updated quickly.
Patching is the process of activating the updates provided by the software provider. Software patch management can include code changes and other software updates. Server patch management specifically updates servers. There are different types of patching, usually referred to as security patches, bug fix patches and feature update patches.
Patches therefore ensure your system is as secure as possible. They can also add new functionality, and fix other issues such as software optimising performance and productivity. In addition to your servers and operating systems; applications and embedded systems, such as network equipment, may also require patching.
Why is patch management important?
Software Patch Management is key to any organisation for the following business critical reasons:
Security: Patch management fixes vulnerabilities within your software and any applications that are susceptible to cyberattacks. They will help reduce security risks.
System uptime: By keeping your software and applications up-to-date and running smoothly, Patch Management will prevent downtime and loss of revenue.
Compliance: Regulatory bodies increasingly expect organisations to maintain a certain level of compliance to reduce the likelihood of a cyber-attack. Larger organisations may also insist that their supply chain adheres to certain security levels. A robust Patch Management Strategy can illustrate this and having one is part of achieving Cyber Essentials accreditation.
Feature improvements: Patches will provide you with the latest and best features and functionality that a product has to offer.
Is Patch Management the same as Vulnerability Management?
Patch Management is similar to Vulnerability Management and the phrases are often used interchangeably; however, patching is the act of solving or mitigating the vulnerability that has been identified in your software or systems.
Vulnerability Management is a continuous process of identifying, prioritising, remedying and reporting vulnerabilities within systems and especially the software that runs in them. When a vulnerability is identified, the management strategy will decide whether to install a patch (if one is available); implement some form of mitigating action to ease the issue (often until a patch is available) or it could be decided to accept the risk. Patching any vulnerability is the ‘gold standard’ and is recommended.
You could say that Patch Management forms part of your Vulnerability Management Strategy, especially as unpatched software applications or operating systems are one of the leading causes of security breaches. Shockingly, in a recent Ponemon Institute study, 62% of organisations had no idea that they were vulnerable before they were attacked by cyber criminals, and perhaps worse, 60% stated that they knew about a vulnerability but had not applied the patch.
What does a Patch Management process include?
Any strategy within your business needs to be developed and defined. The impact of any activity needs to be assessed. Any patch management strategy, therefore, should be implemented with a detailed process that is cost-effective as well as being security-focused.
1. Create an up-to-date inventory of all your systems
You need to understand what assets you hold – operating systems, version types, and IP addresses that exist, along with their physical and geographic locations. Identify who ‘owns’ these assets and regularly update your asset inventory, ideally monthly or quarterly. You may wish to highlight those critical to your organisation to make patch and risk management easier.
2. Devise a plan to standardise systems and operating systems to the same version type
If all your assets run on the same versions, it makes patching faster and more efficient. Where possible, reduce the number of assets to a manageable number so that remediation can be accelerated as new patches are released. This will help save both users and the technical team’s time.
3. Software Health Check
Check that all software used is licensed and supported (where the creator or vendor of the software provides support and updates for it). If it is not, remove it from your assets.
4. List all security controls that are in place
It is helpful to identify all your firewalls, antivirus, and vulnerability management tools. Consider where these are situated, what they’re protecting and which assets are associated with them.
5. Implement scanning of your assets to identify missing patches
The easiest way to do this is by utilising vulnerability management software or working with an external partner
6. Compare reported vulnerabilities against your inventory
Utilise a vulnerability management tool to assess which of your assets are affected by the vulnerabilities reported. This will help you understand the security risk to your organisation.
7. Classify the risk
Having already classified your assets (in point 1), you can prioritise the critical assets requiring remedial action. Your vulnerability management tools can help identify the software, systems and networks affected whilst you decide on the prioritisation.
8. Test
Applying patches to a sample of assets will identify if the patches will cause issues or not. By stress testing in this way, if there are any adverse changes to any systems, you won’t have disrupted your entire organisation.
9. Apply the patches
If you are happy with the results of the sample group, start patching the rest of your assets in priority order. It is still suggested that you roll out patching in batches to avoid any unexpected results to your processes. It’s worth noting that some advanced vulnerability management tools will offer the ability to automate parts of the patching process.
9. Check and track your progress
Once completed, reassess your assets to ensure patching was successful.
How often to apply patches and can Mintivo help?
It is recommended that patches are applied within 14 days of the patch being issued, particularly if a vendor describes it as a ‘critical’ or ‘high risk’ fix. You may also wish to implement a Risk Review and Disaster Recovery Plan to consider the implications of a vulnerability not being identified in time; a patch update not delivering the expected result or how you would cope should a vulnerability be exploited and a cyber-attack occurs.
If you would like Mintivo to help you with patch management, get in contact with us today and one of our team can talk you through how we can help.
