Mitigating controls for ineffective patching By Louay Ghashash
PATCH MANAGEMENT PROCESS
PROBLEMS STOPPING EFFECTIVE PATCHING
It is well known and understood in the industry that patch management is a fundamental corner stone of any security program. It has become well known and understood that without effective patch management, businesses will open their systems to myriad of attacks and data breaches. Majority of today’s attack and data breaches could have been avoided with patch management. Despite that, and while business understand the benefit; running smooth patch management is easier said than done; we often see issues and problems complicating that process and hindering its smooth operation.
Patch Management process is often over simplified, however if we look under the hood, we found many intricacies and complexities hidden within that process.
BEST PRACTICES OF PATCH MANAGEMENT Many security standards and best practices mandate or recommend that critical patches should be installed within less than 2-4 weeks from vendor release, high severity patches should be installed within less than 4 weeks and medium patches to be installed as soon as possible. Running an effective patch management requires that all the following areas and systems must be included in the process: - Firmware and BIOS - Hypervisors - Operating Systems - Application - Libraries and applets - 3rd party systems - IoT devices Focusing Patching efforts on Operating Systems only is not considered a good patch management practice.
50 | Australian Cyber Security Magazine
Legacy systems Legacy systems have to be a biggest roadblock in the road of patch management. Nowadays, there are many legacy systems, including Windows 2008, applications built on Java Run time environment that are >15 years old, Windows XP and even Windows NT4 still running around. Chances are that these legacy systems will stick around for many more years to come. Systems Testing Running an effective patch management goes well beyond getting latest Microsoft patches and apply them, therefore Business requires testing to be completed before approving patches. An effective testing has to be a massive task delaying businesses from rolling patches in time. Systems need to undergo thorough testing before the patches can be installed. Time and efforts required for testing are not small, vendors nowadays are releasing new patches and updates faster than ever, putting a lot of constrains on business’s resources and teams. Non-Production Systems The lack of available non-production systems made testing patches before rolling them out another challenge added to this problem. Systems complexity means that full thorough testing plan must be put in place and in some instances, full regression testing may be needed before approving any