What is patch management?
Patch Management refers to the process of acquiring, testing, and implementing patches (software updates) on computing hardware across your network. Patch Management might include operating system (OS) patches and updates for Microsoft, Apple, or Linux, or third party software applications such as Chrome, Firefox, Adobe Flash, or Java. Patch Management may also include patches and updates for more specialized software (such as your Teller or Payroll applications) or firmware updates for your network hardware (routers, switches, or printers).
Who needs to be concerned with Patch Management?
If you have a system with software, you NEED to be patching religiously. Not staying up-to-date on patches will leave your systems vulnerable to known attacks that can be prevented with proper patching. It is the equivalent of leaving your doors unlocked in an unsafe neighborhood, and the internet is most certainly not a safe neighborhood.
Many of the recent large-scale cyber-attacks, such as NotPetya and WannaCry, target specific vulnerabilities in Windows. In fact, much of the damage caused by WannaCry in May of 2017 could have been prevented by proper patch management, as Microsoft had issued patches (MS17-010) for the root SMB vulnerability (EternalBlue) back in March. The NotPetya attack utilized the same EternalBlue vulnerability to spread, meaning many systems were still not patched more than 3 months after the original patch was released.
These examples illustrate not only the importance of patching critical and high-risk vulnerabilities, but also how doing so in a timely manner may protect your organization from an attack. If the organizations affected by the EternalBlue vulnerability had rolled out the patch in a reasonable time frame (in this case, within the month), they could have reduced much of the impact from the WannaCry and NotPetya attacks.
How does Patch Management work?
The patch management life cycle starts by scanning their environment for needed patches, which includes identifying specific vulnerabilities and the systems which need to be updated. This type of scan is most frequently referred to as a vulnerability assessment (VA). A VA scan will generate a list of unpatched systems with vulnerabilities and the correlating patches/updates/fixes to mitigate the vulnerability.
After identifying missing patches, but before rolling updates out to the whole environment, organizations should test patches on a limited subset of systems or a separate test environment. Installing the patches on a test environment, whether physical or virtual, allows you to identify any potential issues before patches or updates are rolled-out to the production environment. Identifying issues before production roll-out will decrease the likelihood that operations are impacted due to faulty patches or certain applications not working properly after being updated.
Once missing patches have been identified and tested, patches can be installed on vulnerable systems. Patching can be done manually via Windows Update or in-app patching, but most enterprise-wide patches are typically deployed on a large scale with a patch management software solution.
Finally, after patches have been rolled out and installed, the process repeats itself as the next scanning-phase begins. This next iteration of scanning will identify if the previous patches were installed correctly, and identify any new vulnerabilities that may need to be patched during the current cycle.
Focusing on your most vulnerable systems (typically devices running Windows operating systems, as well as highly-used third-party programs like Adobe Flash, Adobe Reader, and Java) is one of Patch Management’s key concepts. Starting with your most risky (vulnerable) devices allows you to allocate time and resources where they will be best utilized and provide the most risk mitigation in the most efficient manner.
Depending on the size of your organization and the amount of systems and software that need to be kept up-to-date, you may want to utilize a third-party patch management solution. Numerous software applications are available to automate your patching process and allow you to schedule automatic update cycles, test patches on certain designated systems, review and approve patches prior to installation, and review reports to identify patching coverage across your environment. For Microsoft patching specifically, Microsoft includes a tool called WSUS (Windows Server Update Services) with all Windows Server operating systems. WSUS may be sufficient in environments with limited third-party systems, but it is recommended that you consider additional patch management software if other third-party applications like Flash, Adobe, or Java are regularly used.
Written by: Dan Klosterman
Senior Information Security Consultant, SBS CyberSecurity
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
How SBS Can Help
As discussed above in the patch management life cycle, to verify your patch management process is operating effectively, you’ll want to periodically test your patch levels by performing a Vulnerability Assessment. A Vulnerability Assessment should scan your network devices for all known vulnerabilities arising from unpatched software or misconfigured systems. SBS offers Vulnerability Assessments as a service, in addition to other network security testing such as Penetration Testing (geared towards obtaining unauthorized access rather than identifying all vulnerabilities) and Social Engineering (testing your people instead of your technology controls).
In addition, Microsoft offers a free tool called Microsoft Baseline Security Analyzer (MBSA) that may perform a limited scan for strictly Microsoft updates. You can download MBSA here: https://technet.microsoft.com/en-us/security/cc184924.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.