According to a recent survey that included approximately 480 IT professionals, effective patch management was considered to be the easiest way of enhancing IT risk management. However, organizations are still getting it wrong.
Patch weariness was considered to have only a small impact on the industry, but is in fact affecting a wide range of organizations. The patches are released at an uncontrollable rate; and the difference between implementing a patch and remediating a vulnerability is often not clear to IT teams.
Our industry mistakes vulnerabilities with patches. It’s high time the difference is understood. Known vulnerabilities are classified using CVE IDs, and vendors release increments of code that address some of the CVE IDs. Sometimes, patches do not fix all the vulnerabilities, and sometimes, they remediate the vulnerabilities on certain platforms, but not others. A patch can sometimes be an upgrade. Occasionally, you can apply a distinct patch or an upgrade to repair dissimilar, but coinciding sets of vulnerabilities.
According to the survey, understanding which patch should be applied to a system is still a struggle for at least 67% of the security teams. For example, patch releases of embedded products such as Adobe Flash, with Google Chrome updates, has complicated patch management. Realizing the importance of a patch has also become tricky.
The mix-up between applying patches and remediating vulnerabilities is an instance of the intricacy that surrounds enterprise patch management. According to a survey conducted at the RSA Conference, 49% of the attendees reported that endpoint risks pose a greater threat than employee (insider) threats, network vulnerabilities, and cloud risks. Often, only half the organizations in the industry are able to execute the patches released for zero-day vulnerabilities within a week.
Various challenges make patch management complicated. Enterprises that do not overcome these challenges will be unable to patch systems efficiently and effectively. This will lead them to make compromises that cannot be easily reversed. Patch management is vital to accomplishing and maintaining security.
Patch management is crucial to many security compliance frameworks, mandates, and other policies such as the Payment Card Industry (PCI) and Data Security Standard (DSS,) which require up-to-date patches to be installed.
In a perfect world, a machine will patch itself. But since we live in a less than ideal world, let’s look at some of the best practices for security patch management:
- Create an updated inventory of all production systems, including the types and versions of the OS, the IP addresses, physical locations, custodians, and functions.
- Formulate a plan for standardizing production systems to the same version of the OS and application software.
- Make a list of all the security controls, such as routers, firewalls, IDSes, AVs, and so on, along with their configurations, to help decide on how to respond to a vulnerability.
- Compare the inventory list to the reported vulnerabilities. Vulnerabilities that affect the systems should be separated from those that do not affect the systems. The vulnerabilities must be collated using a dependable system.
- Categorize the risks by considering these 3 factors: seriousness of the threat, the level of vulnerability, and the cost of mitigating it.
- Finally, apply the patch. After steps 1-5 are completed and the information is compiled, determine which patches are to be installed and how to deploy them without disrupting up-time.
Vulnerability and patch management is a never ending, yet essential cycle in today’s environment.
– Rini Thomas