With the recent Heartbleed bug, there has been a lot of talk about patching. It’s a great conversation to have. Patching adds updates and fixes bugs; they’re a great way to keep up to date and secure, but they don’t apply themselves. Your processes for managing patches is essential to keeping your organization secure, because as security professionals, you’re busy dealing with a constant barrage of daily emergencies.
New patches come out on a daily basis; it’s not something that we need to think about just once a month or week anymore. Patching takes time and energy; there are a lot of factors involved, so it’s important that you streamline your process with best practices.
Inventory your network
You should have an up to date inventory of everything on your network. If you don’t have one, create one and make sure you audit it often to ensure it’s current. Know your production systems, IP addresses, physical locations, custodians and functions.
If you can, put all our production systems on the same operating system and application software. Limiting the number of versions you are running will minimize the amount of work needed for patching, and helps avoid less used versions falling through the cracks and leaving your network vulnerable. The more streamlined the patch process can be, the better.
Inventory security measures
Again, an up to date list of all the security controls you have in place means less chance of missing something. Make a list of all your firewalls, routers, IDSes, AV and anything else. Knowing what security measures are in place will help you recognize where you could be most vulnerable so you can prioritize patching.
Assess your vulnerabilities
Take time to match up vulnerabilities with the inventory lists you’ve made. Create a reliable system for gathering vulnerability reports and pay attention to the ones that affect your specific systems. When you know what the vulnerabilities are, classify them and prioritize. Which are the biggest risks and which are most likely to happen?
Patches themselves are a risk; they break things. Don’t forget to assess the risk of patching itself. Make sure the patches will work within your environment. Create test environments to test patches and ensure patching won’t do more harm than good.
Get patching! When applying the patches, finding the right time that will be least disruptive is key. There are tools available to help you determine when the best time to apply patches is for your organization.
The patching process is a cycle. The better your process the less ongoing effort you need to exert on patches and the safer more secure you will be. While applying patches liberally is not a bad idea, over applying will cost you time and productivity. Knowing where you’re most vulnerable and understanding how those vulnerabilities affect your systems will help you make the right patches at the right time.