Patching operating systems and applications is a critical security function. All software contains vulnerabilities, and cybercriminals use these flaws to attack systems using malicious code. Patching a system protects against malware attacks that exploit these vulnerabilities. The Australian Signals Directorate (ASD) has included Patching Operating Systems and Patching Applications in their Essential 8 strategies. The ASD recommend that extreme risk vulnerabilities be patched within 48 hours, as once vulnerabilities are made public, cybercriminals are likely to quickly develop malware that takes advantage of the flaw. An extreme risk vulnerability might be a remote code execution that affects critical business systems. When we talk about patching operating systems and applications we often only think of client and server systems, but it’s important to also consider operating system and firmware updates of network devices.
Many companies apply security patches to their desktop and server operating systems but not applications that are widely used and whose flaws are targeted, such as Acrobat Reader and Chrome. In a Windows environment, patching applications is often overlooked because built in update mechanisms such as Windows Update and server tools like Windows Server Update Services (WSUS) are designed to update Microsoft only products. Successful patching of common desktop applications will almost certainly involve investing in a third party tool to manage the deployment of the updates. Ideally this tool should integrate with existing operating system update tools like WSUS or Systems Center Configuration Manager (SCCM), but it may replace their functionality completely.
For businesses without server infrastructure and perhaps using Office 365 and other SAAS offerings, implementing a cloud based update tool is a must. Many businesses without server infrastructure have no way of centrally managing updates and even knowing if a computer is being patched successfully. A good patch management product will ensure that updates to the operating system and applications are deployed in a consistent manner. Visibility is key and any patching software implemented will need a robust reporting capability. It should be immediately clear where you’re at and what needs to be done. For instance, how many systems are missing a critical security patch?
Ensure that you also understand when the vendor regularly releases updates (like Microsoft's Patch Tuesday) and are alerted when a critical update is released. This normally involves subscribing to a vendor email notification service, some patching tools also include built in security news and notifications, meaning that all patching information is in one place and the information supplied is summarised in a simple to understand format. This of course means that somebody needs to be responsible for managing the patching review and update process. This doesn’t necessarily have to be someone internal to the business, and could be managed by an external resource.
Patching systems can be time consuming and for this reason is often overlooked, putting a business at risk. Modern patching tools certainly make life easier and are well worth considering if you’re struggling with tools such as WSUS. If you don’t have in-house expertise, outsourcing the patching function to specialists is well worth considering. They will already have robust patching tools in place, have the expertise to troubleshoot update issues and be able to provide you with regular patch status reports.
Colin has over 20 years consulting experience working with organisations ranging from small business to large enterprises. He has consulted in the United Kingdom, Canada and Australia. He specialises in Microsoft based technology solutions, disaster recovery implementations and information security.