Maksim Kabakou - Fotolia

Security Think Tank: Key coping strategies for effective patch management

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?

In the world of technology, there is no shortcut to security patching – it is simply something that needs to be done, and needs to be done in a timely way.

There are obstacles, of course, one of which is the use of legacy systems and applications where a security patch to an operating system may cause a malfunction in a legacy application

Other obstacles include an eclectic mix of patch notification regimes – from the automatic, for example Microsoft Windows Server update services (WSUS), to the manual, such as checking a supplier’s website and downloading available patch material.

If patching software were not enough, updating firmware should not be forgotten. Question when you last updated the firmware in your company’s Ethernet switches, printers, Wi-Fi units, IP cameras, and so on. 

What can an organisation do to ease the burden?

The first recommendation is to ensure that regular backups of the IT estate are taken. In this way, you can take the “patch and be dammed” approach. 

This works well where you have an automatic patching regime in place, for example Microsoft’s WSUS set to automatically deploy critical patches. But even here you need a procedure to check the WSUS console to initiate deployment of non-critical and recommended patches, unless a decision has been taken to automatically deploy those patches as well.

What can be done about non-Microsoft products?

What we have done, and recommend our bigger clients do, is to install and regularly run security scanning tools, such as Nessus from Tenable. Providing the latest vulnerability modules have been loaded, they will identify software that requires security patching, as well as provide source information for the patch(es).

But note that only devices that are switched on and connected to the network will be scanned, which means road warriors will need to be diarised to connect their laptop to the network on a regular basis and at set times. 

We recommend running such tools a day or so after a Microsoft Patch Tuesday. Such a regime – automatic patching plus vulnerability scanning – will reduce the effort and have a significant positive impact on the security posture of the organisation.

For small to medium-sized enterprises (SMEs), which typically do not have a large and diverse IT estate, the main recommendation is maintaining an asset register of all installed software that details not only what, when and where the software is installed, but also when licences need renewing, when support runs out, where patch information can be obtained, any supplemental information (such as dependence on other pieces of software or automatically updated) and a note of when patches were last installed.

While this might sound like a burden, it is not, because once the register has been set up, it will reduce the effort in maintaining the IT estate and help in gaining Cyber Essentials accreditation.

Organisations that outsource their IT, including SMEs, should ensure that the contract details the requirements for information and cyber security, including patching, frequency, auditing and reporting.

The equivalent of an “over to you gov” clause is not sufficient. Remember that while an organisation can outsource the management of security, it cannot outsource the responsibility for it. In the end, it is the organisation and its senior management and board who are accountable for legal, contractual and regulatory compliance. 

Read more on Hackers and cybercrime prevention