In the wake of the recent Equifax data breach, as well as the WannaCry and Petya ransomware attacks, patch management should be high on your radar. Applying software updates and patches is a critical security precaution, as we detailed in our recent blog post, “Why Patch Management Matters Now More Than Ever.” But how should your organization prioritize patching in a multilayered approach to data safety?
Patch management involves appropriate planning, so you don’t introduce unintended problems. Here are five tips on how to apply and execute a patching program.
1. Apply patches regularly.
Popular applications such as Java, Adobe Flash, Adobe Acrobat, Microsoft applications and the Windows operating system need regular updates. You can handle this via Windows Update Services from a Microsoft server, or via another third-party application. For UNIX/Linux systems, you can use Chef, Puppet or a third-party tool like Lumension.
2. Rate your patching.
Look at the criticality of the patches to your business and operations. If you can’t patch an item, then you have to weigh the business risk of exploitation against the benefit of continuing to use the application. If there are patches available, consider the risk that the patch might break a process. Have a plan to revert if necessary.
3. Decommission older legacy systems.
Even if there’s only one legacy application that needs an older OS, plan to replace or migrate the host system. A vulnerable server could expose hundreds or thousands of passwords and be used to access and steal files from mapped drives.
4. Review custom and specialty applications.
If you use in-house created or customized applications from a vendor, find someone who can review the code for known vulnerabilities.
5. Harden the host operating systems.
Review and follow online guidance available for server operating systems:
Windows:https://technet.microsoft.com/en-us/library/cc526440.aspx
Linux/UNIX:https://www.sans.org/score/checklists/linux
MacOS:https://www.apple.com/support/security/guides/
Practical advice for organizations of all sizes
Large organizations first test new patches before committing them to systems that run critical business processes. Smaller organizations don’t have the resources, so the best advice is to back up your systems to prevent a patch from doing something that knocks a critical system offline or triggers a data loss. That means backing up not just the data, but the applications, so you can quickly restore the ability to access the data.
While a patch that corrupts something is uncommon, backing up the data is prudent (and a mandate, really) to protect against sudden hardware failures and all the other unforeseen events that jeopardize the continuity of the business.
How ESET can help
ESET offers a multi-platform patch management solution — Flexera Corporate Software Inspector — as part of our suite of security solutions for an adaptive security architecture. It gives you complete visibility over the patch status of your systems, provides guidance so your teams know what to patch and how, and covers more than 20,000 applications on Windows, MacOS and Red Hat Enterprise Linux.
Portions of this post were adapted from “Vulnerabilities, exploits and patches,” by ESET Senior Research Fellow David Harley, published on our sister site WeLiveSecurity.