It’s been said that there are only two types of companies left in the world: those who know they’ve been hacked and those who don’t. We have to hope that there’s still a third group: those who have not been hacked. You can be sure those who belong to the third group are those who are rigorously implementing security features and, more importantly, keeping them updated.
Patching is not a highlight of the job, but it is a key – some might even say the key – to mitigating risk to your system and remediating vulnerabilities. Despite its importance, it is easy to let it fall by the wayside. To help make patching easier, Paul Henry, security and forensic analyst at Lumension, has come up with some simple tips to help your Patch Tuesday go by a little smoother and keep your systems up to date.
Click through for five Patch Tuesday survival guide tips, identified by Paul Henry, security and forensic analyst at Lumension.
Before you can implement any patches, you have to know what you’re patching. Figure out what systems you’re running on what machines. Categorize everything to make it easier to understand later. Identify the critical systems based on the functions performed, assets housed in the system and their vulnerability to attack.
Determine ownership, permissions and responsibilities for threat identification, testing and remediation across security, IT and business units. Define the patch cycle for different systems. Figure out the internal roles and access requirements within your organization. Formalize this in a patch plan. Pass this plan around to those who need to understand it and use it to help ensure that everyone understands the importance of keeping machines patched and up to date.
After you’ve done the prep work to ensure a plan is in place for patching, you’re ready to take on Patch Tuesday. Do some research to determine what is expected to be released by Microsoft, Adobe, Java, Apple and other vendors that may affect your systems and determine how these patches will impact your organization. Don’t forget to review any internally developed applications or custom patches that may be needed. Keep your eyes open for pre-announcements from vendors that can help you do this prep work. Reserve time slots to deploy the patch updates. Mission-critical servers should be patched within 72 hours. Do a final scan of your machines prior to Patch Tuesday to make sure that everything is as up-to-date as it can be before the patches are released. Don’t forget that some patches won’t deploy if prior patches aren’t installed.
Once the patches have been released, it’s time to apply them. Use the information released by the vendors to assess patch impact, asset risk and value to prioritize the patches and your systems for testing and deployment. Consider the threat level, whether there are known active exploits in the wild, the risk of compromising your systems and the consequences if systems are compromised.
Use test groups to test each patch and deploy patches in phases. Stage deployment by system groups and prioritization. Start with the low-risk groups, verify that no problems occur, and then work your way to larger and higher-risk areas of your network. We always recommend you cache all patch content before deployment.
Breathe easy! The patches are deployed and your systems are safer! Patches are a monthly recurrence, though, so you’ll need to start getting ready for next month by assessing what you’ve just finished. Keep accurate reports of the patches deployed, reboots that occurred, etc., to make sure that every patch was deployed properly. Figure out how long it took to patch all the assets in your organization. This is a great metric to measure against every month. Keep monitoring your systems to ensure patches aren’t removed and that systems stay in compliance. Modify any relevant system settings, distribution parameters, etc., to continue optimizing your system for next month’s updates.