Software Patch Management Best Practices: A Key Part of Your Cyber Security Program

Jan 4, 2019 2:18:01 PM / by Eric Benda, CEO

Security Updates Must Go Beyond Your Operating System to 3rd Party Software, Apps

Many of our clients are regulated entities in financial services and healthcare. In our ongoing concern for their cyber security in the face of increasing and evolving threats from individual and nation state bad actors, patching security vulnerabilities in software and applications is an integral part of every cyber security program we implement. Because many companies believe that their Microsoft and Apple security updates have them covered, this post shares some additional software patch management best practices.

Religiously Install Operating System Patches -- Installing operating system updates is a critical first step. A good example: the infamous WannaCry ransomware attack on Microsoft Windows affected many more computers in Europe where licensing is not as closely policed as in the U.S. Users share older Windows programs and have no access to updates and patches. So they’re vulnerable to new threats.

Because they’re frequent targets, Microsoft and Apple issue regular security patches with their updates. Computers can be set to download and install these automatically. Unfortunately, many employees turn off automatic installs because they can be disruptive. Then they forget or neglect to install them manually or to schedule a convenient install time when notified of updates. Establish and enforce policies that allow for monitoring or taking control of the patch process.

Seek and Install Third Party Software & Apps Patches -- Comprehensive patch management extends to all of the programs and applications your employees use. Of particular concern are widely-used third-party programs and apps like Java and Adobe that are targets for hackers. They provide their own patches and need to be updated separately from your operating system.

Some vendors notify users of updates and patches. Others require that you be proactive and seek out the latest patches. To achieve this objective, you’ll need to inventory the array of programs and applications being used within your network. We’ll be delving more deeply into inventory management in a future post.

Consider Automating the Process – Software patch management can be a complicated affair. Not only may you be dealing with a broad array of solutions, but also vendors issue patches on their own schedules so there can almost always be a new patch coming down the pike. To make patch management more manageable, here at Soundshore Technology Group we partner with the security-automation firm Manage Engine and deploy its Desktop Central product for patch management, which gives us remote access to provide updates.

This solution keeps a database of each clients’ software, monitors for patches and lets us push them out. We notify our clients and their employees when patches will be pushed out and request that they leave their computers running in order to receive them.

Scan for Vulnerabilities – If you don’t know it’s broken, you can’t fix it. In the evolving world of cyber security, threats arise that could affect your firewall and your network. Software is available – including Desktop Central mentioned earlier – that can scan your system for vulnerabilities to known threats. You can then search to see what patches are or will soon be available to mitigate the risk.

Prioritize Patching – Another benefit of scanning your system is that it will enable you to determine how vulnerable you actually are to a particular threat. Just because it makes headlines doesn’t mean that you’re at high risk of attack by the latest worm. We all have to manage our resources and they may be better focused on one vulnerability than another.

Establish a Schedule – Although you may get notifications of patches at any time, best practices demand that you establish a regular schedule of software patch management that is reasonable for your business. We recommend weekly updates, but bi-weekly or monthly make sense for some of our clients.

Patch ‘By Hand’ When Necessary to Preserve Productivity – It’s a fact of life that some patches cause their software to stop playing nicely with other programs. Some patches are best installed and set up individually to accommodate or eliminate issues.

Reboot – Many employees just never reboot their computers. They let them go into sleep mode overnight to avoid waiting for them to be ready for use in the morning. This is another item to include in your cyber security policies: regular rebooting. Many updates and patches do not take effect without a reboot. It’s an important step to enforce.

Watch the blog or subscribe to be notified of future posts related to this topic.

We’ve also been writing about cyber security training here on the blog and you might want to take a look at these posts that cover training for avoiding phishing scams, protecting mobile devices and using AI tools safely. And visit our Cyber Security Services page to access two complimentary offers to help you enhance your security overall – including a vulnerability assessment.

Learn More About Our Cyber Security Services

 

 

Topics: cyber security

Eric Benda, CEO

Written by Eric Benda, CEO