Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” This age old advice is easily applied to the digital world we live in today. Computers, applications and networks are under constant attack by hackers who are extremely motivated by big financial gains. An effective patch and vulnerability management program has the ability to stop most hackers dead in their tracks. It greatly reduces the risk associated with the exploitation of a neglected or un-patched computer system.
An ounce of prevention, in this case – patching computers and applications, is worth a pound of cure, in this case – the cost of responding to a cybersecurity incident or data breach.
Year after year, we learn that the vast majority of successful cyber-attacks exploited unpatched computers and / or unpatched applications. What is even more interesting is that most of the patches for these compromised systems had been available to install for months, if not years prior to the cyber-attack.
There is no doubt that the combination of routine vulnerability scanning and the timely installation of system patches will make it much more difficult for a hack to compromise your computer systems and information.
There are seven steps you must take to build an effective patch and vulnerability management program:
- Inventory Systems and Applications. Before we attempt to patch computers, operating systems and applications, we first must know of their existence. It is important to maintain an inventory of all computing assets. If possible, use inventory software to assist with the task but at the least, make sure the inventory is completed using manual means.
- Monitor for Vulnerabilities. Vendors will release patches at regular intervals as new vulnerabilities are discovered. You must know when new patches are available to install otherwise, you risk not installing patches in a timely manner – or installing them at all. Good mechanisms to use for monitoring vulnerabilities include a combination of (i) checking the vendor website and subscribing to mailing list, (ii) regular vulnerability scanning, (iii) checking vulnerability databases, such as the National Vulnerability Database, and (iv) relying on an enterprise patch management tool.
- Selecting Patches to Apply. Deciding which patches are ultimately installed is typically based on the criticality of the patch, importance of the system being patched, the resources required to install the patch and assurance of post install system functionality. It is good practice to at a minimum, install all “Critical” and “Security” patches.
- Testing. Prior to installing patches, it is important to install patches in a test or non-production computing environment. This will assure that the installation of the patch will not cause any adverse outages or system disruption when it is ultimately installed in a production computer environment.
- Verify Backup. Despite the testing efforts completed in step four, it is still conceivable that the installation of a patch will create unanticipated issues or outages. For this reason, it is important that you verify the system or application being patched has recent data backup that can easily be restored if needed.
- Automate Patching. The National Institute of Standards and Technology (NIST) recommends that patch installation should be automated using enterprise patch management tools or alternative options. Manually installing patches is expensive and inconsistent. Where possible, be sure that systems are automatically updated according to your patch management program parameters.
- Verify Installation. The installation of a patch should always be confirmed by either re-scanning the system with a vulnerability scanner and / or reviewing log files.
It is common to see the responsibility of creating and maintaining a patch and vulnerability management program assigned to the Network Administrator or outsourced to a Third Party Service Provider.
Patching equals prevention and remember – an ounce of prevention is worth a pound of cure. Patching is easy to do, inexpensive and is an incredibly effective cyber-security defense. Happy Patching.