It is a well known fact that the majority of serious computer attacks are actually exploiting known vulnerabilities for which security patches and/or fixes already exist. The issue is that with hundreds of patches released every month for various different operating systems and applications, many organizations end up falling behind on installing them. There is also a great deal of confusion over which patches actually need to be installed and which are fine to be ignored. This is why every organization needs to set up an appropriate patch management process. However, this is a complex situation and you will need to think about the amount of time and resources that you have available
Here we have outlined a step by step guide explaining how to go about developing an effective set of patch management best practices for your organization.
Take Inventory of Your Network
The first step is to develop an up to date inventory of all of your operating systems, IP addresses and applications. This should include the type and version of each piece of software, the machine that it is installed on and the purpose of each one.
Consider Standardizing Operating Systems & Applications
Once you have your inventory, you will be able to see where the biggest differences are in terms of what is installed on each device connected to your network. Patch management becomes so much easier if there is some degree of consistency across the network so at this stage you may want to consider standardizing operating systems and applications. It may not be possible to standardize all of your devices, but the fewer versions you have to work with the easier it is going to be to maintain them properly.
Compare Known Vulnerabilities Against Your Inventory
Once you have taken inventory of your systems and standardized as much as possible, the next step is to collate known vulnerabilities into a list that you can then reference against your inventory to determine which ones will affect your organization the most. You will first need to find a reliable system for collecting vulnerability alerts. Then you will need to identify which of those vulnerabilities actually affects your system. Depending on the size of your organization, you may have a dedicated employee tasked with this, or you could use a reputable vulnerability reporting service.
Classify The Risk
When you know which of the known vulnerabilities may apply to you the next step is to assess the level of risk that they present. Is it likely that you will experience an attack? For some vulnerabilities you may find that there is only a minimal risk and that your firewall is going to take care of it without any additional intervention. Others may be critical and need a patch installed as quickly as possible. Generally speaking, you will need to consider three main factors in order to classify the risk. First, look at the severity of the threat and how likely it is to impact your organization. Next up you will need to look at the level of vulnerability, for example is the system going to be affected inside of or outside of your firewall. Finally, you should evaluate the cost of mitigation and recovery in relation to each vulnerability.
Apply The Relevant Patch
Once you have worked through the other steps in the process it is time to actually apply the relevant patches to secure your system. This in itself can be a complex and time consuming process, so you will likely want to invest in some patch management software which will help you to automate the process. This can be especially useful for smaller organizations who do not have the resources to employ a dedicated IT professional to deal with patch management.
This is by no means a fully comprehensive guide to patch management best practices, but it should hopefully give you a good starting point. Why leave yourself vulnerable to security risks when they can be easily fixed with the relevant patches.
Clare Louise