Patch Management is essential to your organisation\u2019s security and productivity, but what exactly is patch management and why do you need a patch management strategy?<\/p>\n\n\n\n
Similar to a medical patch, or plaster put on a cut to the skin to make it better, a software patch will correct errors in software code. These errors are sometimes called vulnerabilities or bugs and they can cause various issues with your servers and operating systems, but most seriously, if they are not patched, they can enable threat actors to exploit them, and therefore damage your business. Once a software vulnerability has been detected in firmware, operating systems or third-party applications they are published (often called a \u2018known vulnerability\u2019). Criminal hackers take advantage of these known vulnerabilities if they are not properly patched or updated quickly.<\/p>\n\n\n\n
Patching is the process of activating the updates provided by the software provider. Software patch management can include code changes and other software updates. Server patch management specifically updates servers. There are different types of patching, usually referred to as security patches, bug fix patches and feature update patches.<\/p>\n\n\n\n
Patches therefore ensure your system is as secure as possible. They can also add new functionality, and fix other issues such as software optimising performance and productivity. In addition to your servers and operating systems; applications and embedded systems, such as network equipment, may also require patching.<\/p>\n\n\n\n
Software Patch Management is key to any organisation for the following business critical reasons:<\/p>\n\n\n\n
Security: <\/strong>Patch management fixes vulnerabilities within your software and any applications that are susceptible to cyberattacks. They will help reduce security risks.<\/p>\n\n\n\n System uptime: <\/strong>By keeping your software and applications up-to-date and running smoothly, Patch Management will prevent downtime and loss of revenue.<\/p>\n\n\n\n Compliance: <\/strong>Regulatory bodies increasingly expect organisations to maintain a certain level of compliance to reduce the likelihood of a cyber-attack. Larger organisations may also insist that their supply chain adheres to certain security levels. A robust Patch Management Strategy can illustrate this and having one is part of achieving Cyber Essentials accreditation.<\/p>\n\n\n\n Feature improvements:<\/strong> Patches will provide you with the latest and best features and functionality that a product has to offer.<\/p>\n\n\n\n Patch Management is similar to Vulnerability Management and the phrases are often used interchangeably; however, patching is the act of solving or mitigating the vulnerability that has been identified in your software or systems.<\/p>\n\n\n\n Vulnerability Management is a continuous process of identifying, prioritising, remedying and reporting vulnerabilities within systems and especially the software that runs in them. When a vulnerability is identified, the management strategy will decide whether to install a patch (if one is available); implement some form of mitigating action to ease the issue (often until a patch is available) or it could be decided to accept the risk. Patching any vulnerability is the \u2018gold standard\u2019 and is recommended.<\/p>\n\n\n\n You could say that Patch Management forms part of your Vulnerability Management Strategy, especially as unpatched software applications or operating systems are one of the leading causes of security breaches. Shockingly, in a recent Ponemon Institute study, 62% of organisations<\/a> had no idea that they were vulnerable before they were attacked by cyber criminals, and perhaps worse, 60% stated that they knew about a vulnerability but had not applied the patch.<\/p>\n\n\n\n Any strategy within your business needs to be developed and defined. The impact of any activity needs to be assessed. Any patch management strategy, therefore, should be implemented with a detailed process that is cost-effective as well as being security-focused.<\/p>\n\n\n\n You need to understand what assets you hold – operating systems, version types, and IP addresses that exist, along with their physical and geographic locations. Identify who \u2018owns\u2019 these assets and regularly update your asset inventory, ideally monthly or quarterly. You may wish to highlight those critical to your organisation to make patch and risk management easier.<\/p>\n\n\n\n If all your assets run on the same versions, it makes patching faster and more efficient. Where possible, reduce the number of assets to a manageable number so that remediation can be accelerated as new patches are released. This will help save both users and the technical team\u2019s time.<\/p>\n\n\n\n Check that all software used is licensed and supported (where the creator or vendor of the software provides support and updates for it). If it is not, remove it from your assets.<\/p>\n\n\n\n It is helpful to identify all your firewalls, antivirus, and vulnerability management tools. Consider where these are situated, what they\u2019re protecting and which assets are associated with them.<\/p>\n\n\n\n The easiest way to do this is by utilising vulnerability management software or working with an external partner<\/p>\n\n\n\n Utilise a vulnerability management tool to assess which of your assets are affected by the vulnerabilities reported. This will help you understand the security risk to your organisation.<\/p>\n\n\n\n Having already classified your assets (in point 1), you can prioritise the critical assets requiring remedial action. Your vulnerability management tools can help identify the software, systems and networks affected whilst you decide on the prioritisation.<\/p>\n\n\n\n Applying patches to a sample of assets will identify if the patches will cause issues or not. By stress testing in this way, if there are any adverse changes to any systems, you won\u2019t have disrupted your entire organisation.<\/p>\n\n\n\n If you are happy with the results of the sample group, start patching the rest of your assets in priority order. It is still suggested that you roll out patching in batches to avoid any unexpected results to your processes. It\u2019s worth noting that some advanced vulnerability management tools will offer the ability to automate parts of the patching process.<\/p>\n\n\n\n Once completed, reassess your assets to ensure patching was successful.<\/p>\n\n\n\n It is recommended that patches are applied within 14 days of the patch being issued, particularly if a vendor describes it as a \u2018critical\u2019 or \u2018high risk\u2019 fix. You may also wish to implement a Risk Review and Disaster Recovery Plan<\/a> to consider the implications of a vulnerability not being identified in time; a patch update not delivering the expected result or how you would cope should a vulnerability be exploited and a cyber-attack occurs. <\/p>\n\n\n\nIs Patch Management the same as Vulnerability Management?<\/h2>\n\n\n\n
What does a Patch Management process include?<\/h2>\n\n\n\n
1. Create an up-to-date inventory of all your systems<\/h3>\n\n\n\n
2. Devise a plan to standardise systems and operating systems to the same version type<\/h3>\n\n\n\n
3. Software Health Check<\/h3>\n\n\n\n
4. List all security controls that are in place<\/h3>\n\n\n\n
5. Implement scanning of your assets to identify missing patches<\/h3>\n\n\n\n
6. Compare reported vulnerabilities against your inventory<\/h3>\n\n\n\n
7. Classify the risk<\/h3>\n\n\n\n
8. Test<\/h3>\n\n\n\n
9. Apply the patches<\/h3>\n\n\n\n
9. Check and track your progress<\/h3>\n\n\n\n
How often to apply patches and can Mintivo help?<\/h2>\n\n\n\n