As more and more software vulnerabilities are discovered and therefore need updates and patches, it is essential that system administrators manage the patching process in a systematic and controlled way. Successful patch management requires a robust and systematic process. This process, the Patch Management Lifecycle, involves a number of key steps: preparation, vulnerability identification and patch acquisition, risk assessment and prioritisation, patch testing, patch deployment and verification. When deploying a patch management solution, there are also a number of security issues that should also be considered.
According to the CERT Coordination Center (CERT/CC), thousands of software vulnerabilities are discovered and reported every year. A flexible and responsive security patch management process has become a critical component in the maintenance of security on any information system.
System administrators should create and maintain a clear inventory record of all hardware equipment and software packages, along with version numbers of those software packages most used within the organisation. This inventory will help system administrators better monitor and identify vulnerabilities and patches that are applicable across the organisation.
Standard configurations should be created and maintained for every major group of IT resources, such as user workstations and file servers. Standardised configurations can simplify the patch testing and application updating process, and will reduce the amount of time/labour devoted to patch management.
Information security is everybody’s business and an effective patching process cannot be implemented without the cooperation and participation of end-users across the organisation. Users should be made aware of the importance of IT security and patch management as part of their daily work process. If sufficient training is provided to end-users, they can often perform lightweight patching on their own workstations, which will reduce the workload on system administrators around basic patch management. User awareness is especially important in organisations that allow remote access to a corporate network, as a vulnerability exploited through a computer system in someone’s home can threaten the security of the entire organisation.