Why patch management is a critical step in achieving effective IT security

Ever since computer operating systems were first developed, there’s been a need for software patches.

Designed to plug performance holes, add additional features, and improve security, patches remain a part of day-to-day life for IT teams within all organisations. Unfortunately, however, the constant need to roll them out to large numbers of devices can be a time-intensive hassle.

They also create headaches for users. Each time a new patch is applied the device usually needs to be restarted which can cause interruptions to workflows and reduce productivity. Often, the temptation is to delay applying the patch which can lead to serious security complications in the future.

The exploitation of software vulnerabilities is a dominant cause of IT security breaches such as those we have recently seen with Oxfam Australia,T ransport for NSW, Toll Group and Service NSW.  Most of these occur when cybercriminals use known vulnerabilities to mount their attack. These are usually vulnerabilities that could have been address by a patch, however the patch was never applied.

It’s also important to remember that hackers also have access to public exploits to carry out their attacks, which they do not hesitate to use as they know many organisations do not patch their systems. In fact, experience shows that 80% of successful attacks exploit vulnerabilities that have known patches that have not been applied.

Better patch management

For these reasons, it’s important that organisations have in place an effective patch management process. This ensures that all critical patches are applied to all relevant devices as soon as the patches become available.

While this might appear to be a simple task, most organisations struggle to identify which critical patch updates they need to install first. Therefore, prioritising patch rollouts is a key part of the management process.  The two most common patches needing to be managed are security patches and service pack or feature pack patches.

Security patches are a change made to an application or program in order to fix bugs or flaws that cause vulnerabilities. Applying this kind of patch prevents vulnerabilities from being exploited or will eliminate or mitigate the ability of threats to exploit a vulnerability in an asset.

Meanwhile, service pack (SP) or feature pack (FP) patches comprise a collection of updates, fixes, or feature enhancements for a piece of software. They tend to solve a lot of pending problems, and usually include all the patches, hotfixes, maintenance, and security patches released before the service pack.

An effective patch management Lifecycle

Having an effective patch management strategy in place can be the most effective tool for protecting an organisation against vulnerabilities and cyberattacks. The key is to establish a routine patch management procedure, with the aim of integrating it into standard operations.

In this cycle or procedure, there are six phases:

  1. Asset identification: Accurately identifying all IT assets and the software installed on them, as well as their existing patch status, is a complex task. However, establishing this baseline allows an IT team to make changes to the system without risks and makes it possible to return to a previous known functional state should a problem.
  2. Patch availability: The current list of available patches must next be reviewed, based on the information gained from the asset identification process. New patches can then be deployed as they are released.
  3. Applicability: Patches that are published are not always valid for all devices within an organisation. This means that it is important to check whether a specific update is suitable for the specific assets that have been deployed.
  4. Acquisition: The next step is to obtain the update patch file from an official source, as well as checking that the patch is legitimate which is not always easy. The use of hashes is not common for patches related to control systems.
  5. Validation: This step is designed to ensure that the patch update won’t have a negative impact on the existing IT infrastructure. To validate the patch or update, test assets need to be used, and rollout phases followed. The validation is intended to check what implications the update could have, which could include changes to firewall policies and user settings.
  6. Roll out: The final step in an effective patch management process is the rollout of the validated patches to each appropriate device. The process should use update files as well as installation instructions for IT teams to ensure the process is carried out effectively and in line with manufacturer requirements.

By having such a structured approach to patch management, an organisation can be sure its IT infrastructure is operating at peak performance and is protected from all known vulnerabilities. Make a full review of your patch management process your next priority.

Mark Sinclair is Regional Director for Australia and New Zealand at WatchGuard Technologies where he is responsible for expanding the company’s regional market presence, overseeing new revenue opportunities, and managing local customer and partner relationships. He has more than 20 years’ IT sales and channel partner experience and previously worked at Oracle as ANZ Commercial Sales Programs & Strategic Director. Prior, he spent ten years at Trend Micro in several sales positions, including as Commercial Sales Director for Australia and New Zealand. He also previously worked at Tenix and Baltimore Technologies.