Patch Management
Home > 
Patch Management
< back

Patch Management

As more and more software vulnerabilities are discovered and therefore need updates and patches, it is essential that system administrators manage the patching process in a systematic and controlled way. Successful patch management requires a robust and systematic process. This process, the Patch Management Lifecycle, involves a number of key steps: preparation, vulnerability identification and patch acquisition, risk assessment and prioritisation, patch testing, patch deployment and verification. When deploying a patch management solution, there are also a number of security issues that should also be considered.

According to the CERT Coordination Center (CERT/CC), thousands of software vulnerabilities are discovered and reported every year. A flexible and responsive security patch management process has become a critical component in the maintenance of security on any information system.

The following are suggested as part of the preparation process:
Create and maintain an pan-organisational hardware and software inventory
System administrators should create and maintain a clear inventory record of all hardware equipment and software packages, along with version numbers of those software packages most used within the organisation. This inventory will help system administrators better monitor and identify vulnerabilities and patches that are applicable across the organisation.
Standardise configurations
Standard configurations should be created and maintained for every major group of IT resources, such as user workstations and file servers. Standardised configurations can simplify the patch testing and application updating process, and will reduce the amount of time/labour devoted to patch management.
Educate users
Information security is everybody’s business and an effective patching process cannot be implemented without the cooperation and participation of end-users across the organisation. Users should be made aware of the importance of IT security and patch management as part of their daily work process. If sufficient training is provided to end-users, they can often perform lightweight patching on their own workstations, which will reduce the workload on system administrators around basic patch management. User awareness is especially important in organisations that allow remote access to a corporate network, as a vulnerability exploited through a computer system in someone’s home can threaten the security of the entire organisation.
Patch Testing
Patch testing is vital to ascertain whether or not a new patch will affect the normal operation of any existing software. It is important that this testing is performed on a mirror system that has an identical or very similar configuration to the target production system. This is to ensure that the patch installation does not lead to any unintended consequences on the production system.
In addition to identifying any unintended problems, patches themselves should be tested to ensure that they have fully patched the vulnerability in question or corrected the performance issue as intended.
If it is not feasible to install the patch because, for example, testing results show that the patch will crash or seriously disrupt the production system, alternate security controls should be implemented.
Risk Assessment and Prioritisation
Timely response is critical to effective patch management. With limited resources, system administrators may need to prioritise the deployment of new patches, performing a risk assessment to determine which systems should be patched first. In general, this prioritisation should be based on the following criteria:
Threat - A threat is any potential direct danger to information systems.
Vulnerability - A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker.
Criticality - This is a measure of how important or valuable a system is to business operations. Systems that are frequently considered as mission critical include mail servers, database servers and network infrastructure.
In general, systems facing more threats, or that are more vulnerable, or are mission critical should be accorded a higher priority in the patch management process.
Patch Deployment and Verification
Patching vulnerabilities in a system may be as simple as modifying a configuration setting, or it may require the installation of a completely new version of the software. No single patch method can apply across all software applications and operating systems. Product or application vendors may provide specific instructions for applying security patches and updating their products, and it is recommended that system administrators read all the relevant documentation provided by vendors before proceeding with patch installation.
In addition, security patches should be deployed through an established change control process. Before applying a new patch, administrators may want to conduct a full backup of the system to be patched. This enables a quick and easy restoration of the system to a previous state if the patch has an unintended or unexpected impact on the system. After the patch is deployed, system administrators and users should verify that all systems and applications are functioning normally, and that they comply with laid down security policies and guidelines.