Employees of every organization use a variety of computing devices such as desktops, servers, laptops, security appliances, and mobile devices to increase productivity in this ever-changing world of Information Technology. The confidentiality, integrity, and availability (CIA) of information has become essential to success and often a competitive advantage. A comprehensive patch management process should be a major component to protecting CIA on computing devices and the data they store or transmit. Patch management is not always a simple task, as organizations may have a variety of platforms and configurations, along with other challenges that make patching these components very difficult. However, there are recommendations and best practices to minimize the complexity of this much-needed task.
As defined by the U.S. National Institute of Standards and Technology (NIST) in NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies (478 KB PDF), patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware. Although patches can serve other functions such as adding new features to products, patches are used most often to mitigate software vulnerabilities. Some challenges make the patch management process more complex, and should be taken into account.
The timing of when to install patches, which patches have priority, and the testing of patches are just a few of the major challenges when performing patch management. In some organizations, it's not always ideal to install a new patch as soon as it is available. Patches can disrupt essential business operations, and the environment of each organization may determine the best time for patch installation.
Often, vendors will bundle patches for monthly or quarterly releases, such as with Oracle Critical Patch Update, which for the month of October, contains 127 new security vulnerability fixes. In addition, Cisco has recently released its final Cisco IOS Software Security Advisory Bundled Publication of 2013 as described in a blog post by Erin Float, It's Back -It's Cisco IOS Software Security Advisory Bundle Time Again, which could aid a system administrator by simplifying the installation of multiple patches into one installation. Vulnerabilities disclosed publicly without vendor response can create a window of opportunity for attackers. Although it is beneficial for vendors to release patches on a timely schedule, this method could give an attacker more time to exploit a vulnerability before the vendor makes patches available. This scenario could also tie into the challenge of prioritization, such as which patches are critical and pose the highest risk for the organization if not implemented immediately.
Another challenge to patch management is the testing of patches before implementation. It's important to test patches to ensure the stability of a new patch on the current environment. Testing may be difficult for some organizations because they may not have the necessary hardware and software resources readily available for an environment to test the new patches. In addition, organizations may lack the personnel that are needed for testing. Insufficient software inventory management processes also introduce a challenge because patch management is dependent on having a current and complete inventory of the software that is installed on every device in the environment.
One of the first recommendations to a successful patch management process is to discover all assets that reside on the network. Organizations should create and maintain an up-to-date inventory list of all computing devices in the environment. With this updated list, an organization can determine which operating systems, software, and existing patches are present on devices in the network, aiding development of a baseline policy. The next recommended step in the patch management process is to determine if there are any unpatched devices in the environment and perform a risk analysis for the missing patches. There are various tools on the market that can assist in scanning the environment to perform a detailed analysis of the infrastructure. Two of the tools that can aid in this effort are Microsoft Baseline Security Analyzer (MBSA) and Cisco IOS Software Checker as described in a previous blog post by one of my colleagues, Nick Leali, NCSAM Tip#8: Patch Verification with MBSA and Cisco IOS Software Checker. After those steps are complete, remediation should be performed to bring all systems up to date with the latest patches, but not before creating a change management process to help with versioning control and documentation. Once the remediation is complete and all systems are using the latest software versions, the organization will have a new baseline to start from to continue the cycle of patch management. A minimum baseline policy with the latest patches is a good place to start to keep your patch management process running smoothly and efficiently throughout this continuous lifecycle.
NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf (478 KB PDF)
Six Steps for Security Patch Management Best Practices
http://searchsecurity.techtarget.com/Six-steps-for-security-patch-management-best-practices
Patch Management Best Practices
http://www.cressidatechnology.com/pdfs/whitepapers/bestpractices.pdf (482 KB PDF)
Cisco Security Blog: Patch Verification with MBSA and Cisco IOS Software Checker
http://blogs.cisco.com/security/ncsam-tip-8-patch-verification-with-mbsa-and-cisco-ios-software-checker/
Microsoft Baseline Security Analyzer
http://technet.microsoft.com/en-us/security/cc184924
Cisco IOS Software Checker
http://tools.cisco.com/security/center/selectIOSVersion.x