Cybersecurity defense is one of the most important goals of any computer device, and that’s especially true for corporate computer networks. While there are many possible strategies that you can implement to boost the security of your network, it’s strongly recommended that you include patch management as one of your first steps.
There was a time when putting in patches for software and operating systems weren’t really considered all that important. In fact, it was sometimes viewed with downright suspicion. It wasn’t just about having an “install and forget” mentality. It was also about the possibility of putting in poorly designed patches that made things worse. So the thinking was “Why fix something that’s not broken?”
Historically, many of these patches did prove to be disasters. The history of patches for the iPhone is a notorious example, and even now these various iOS patches can lead to new problems that weren’t there before.
However, many cyber threats can now take advantage of various vulnerabilities in many programs. That’s why software makers keep releasing patches to remove this threat. Security problems such as worms can enter your computer network through these vulnerabilities if you fail to install the patches on time.
What is Patch Management?
If you’re a typical consumer, you probably have a smartphone in which various apps are installed. For you, patch management can be simple. Your smartphone can inform you whenever you have patches and upgrades available for your smartphone OS and for your apps. You can even enable your phone to automatically update the apps for you.
The same thing goes when you use a Windows PC. Windows can automatically download upgrades and patches to the OS. In addition, you’re told about updates available for your programs.
But the complexity of patching increases when you’re dealing with a corporate computer network. There are simply too many machines and too many programs for you to patch programs manually. You also can’t just enable patches to be installed automatically whenever they’re available. That’s because some patches are more important than others, and patches still represent a risk to your network. It’s one thing for an iPhone to be “bricked”, but it’s another thing entirely when a patch messes up your entire network.
Patch Information Awareness
If your company is using a network, then you need to have someone or a team in charge of patch management. One of their first goals is to be immediately aware whenever a patch is available. They also have to know whether the various patches are relevant for your computer environment.
This team can use various methods of keeping updated with this crucial information. They can call account managers every week or every month to ask whether patches are scheduled or have been already released. They can subscribe to the security announcement list offered by the software vendors. They may also actively monitor highly regarded forums and websites that can broadcast news report about security patches for the programs you use.
Priorities and Schedules
Every day and every week, your team may have news about several patches available. You don’t just install them in the order that they come in. That’s because some patches are more important than others. A patch that’s designed to cover the vulnerability of a program to a particular worm is more crucial than a patch with just minor upgrades. The more important patch must be installed first.
Patch management team members can take several factors into account in order to determine which patches are more crucial for your network security. One helpful hint comes from the vendors themselves, which may have high, medium, or low ratings for the criticality of their patches. Your IT department may also be aware of a known exploit that’s attacking a particular vulnerability, and thus a patch for this problem may be deemed crucial.
You’ll also need to consider the importance of the program updated by a particular patch. Some programs are crucial for your business, while others not so much. You should also consider the level of exposure, which is different for your DMZ systems compared your internal file servers.
You also can’t forget all the other patches that offer bug fixe or extra features for your other programs. Just because the patches aren’t security-related doesn’t mean that they shouldn’t be installed.
Testing the Patch
Now that you have a queue of patches to be installed, do you just install each one to all your network components all at once? That’s not a prudent option, since a problematic patch can cause disruptive changes to your programs and your network environment.
So first you have to test it. The first step of test is validating the source and integrity of the patch. This checks that it’s a real and authorized patch from the vendor and that it hasn’t been altered. A form of checksum or integrity verification must be performed, such as checking the digital signature.
When the patch is deemed valid, it’s then placed in a test environment. This environment should be very similar to your actual production environment. Generally, you can test the patch in a production system subset such as the IT employee systems and department-level servers.
The test can be anything, depending on your standards. Some tests only check to see that the system can reboot and the app can still run. At the other end of the spectrum is the use of a battery of tests to see that the patch doesn’t negatively affect your program and your system.
When you’re ready to start installing, you begin with the least critical systems first. You check the performance of the patch there, and then if you’re satisfied that no damage has been done you can roll out the patch to the rest of your network.
At this point, you should also have contingency plans if something goes wrong. You also need a definite standard of what makes for a successful update so that these recovery plans aren’t needed.
For all these tasks, you need the right policies along with the right software. That can make patch management much easier and more efficient.