Do you have a patch management plan? If so, how effective is it? Many companies either lack a comprehensive plan or the necessary tools to properly automate the processing of updates. In fact, the underlying reasons many banks and credit unions fail the vulnerability testing component of their IT security audit is this lack of effective patch management.
As for the tools, many companies rely only on Windows Server Update Services (WSUS) to patch their Microsoft Windows operating system and other Microsoft software. WSUS does not patch non-Microsoft application software, such as Adobe Acrobat, Adobe Flash, Adobe Shockwave, which often have severe risks that can lead directly to a system compromise, if left unpatched.
Furthermore, the importance of installing critical patches to each point on the network cannot be over-emphasized. While servers and desktops are easy to monitor, virtual machines might be overlooked. Laptops and removable storage devices present a special challenge since they are not always connected to the network, and may therefore miss critical patches.
Implementing best practices for patch management will reduce the risk of attack to your network. Here are a few suggestions to follow:
- Only install applications that are absolutely necessary on any system. This reduces the possibility of being out of date with system updates and patches.
- Make sure third-party applications are updated with all current patches, where possible. The SANS Institute reports applications such as Adobe’s Acrobat, Flash and Reader or Sun’s Java are commonly attacked software.
- Have a predetermined schedule for patching. Make it at least monthly, if not more often.
- Partner with an expert. IT staff often do not have the time to stay current on the needs of every application and the growing variety of threats.
- When possible, automate.
You have to have an effective strategy for patch management which at least incorporates these best practices. Relying on Microsoft’s WSUS and “occasional” patching when time allows will not provide sufficient coverage to protect your organization.