In the last post, we discussed vulnerability scanning, which will lead directly to patching most of the time. When we think of patching, we most often think of patching our servers and workstations operating systems, but we can’t stop there. What do you mean we can’t stop there? What else is there? Well, there’s all of your network devices, IoT devices, hypervisors, and let’s not forget about all of those wonderful applications! So how exactly do we go about patching all of these?
Patching in a Windows environment
In a Windows environment, you can use WSUS (Windows Server Update Services) to manage your patching for the low, low cost of free. Another option for pushing out updates is PDQ Deploy, which offers a free version that will push out patches and other software packages. However, in my opinion, it’s best to spend the money for a true patch management system that will report on failed patch installations and provide reports so you can identify what is out of date on each endpoint.
Patching in a Linux environment
For Linux patching there are a few patch management solutions, however, they can be pricey. Consider using Ansible or Salt, and running your own patch management solution. For network devices, many vendors offer a sign-up option for email notification when new patches are released. This makes it easy to know when you need to patch. After that, it’s simply updating your device, after you make a backup of their configurations first of course! I’ve created a video showing you how to set up Ansible and automate patching on both Linux and Windows hosts. You can find that video here.
Don’t forget about third-party application patching
Now let’s talk about third-party applications, such as Java, Adobe, and browsers. These types of applications must be patched as well. This is where a patch management system shines as it will be able to report on out-of-date installations, and you can then automate the patch updates and run reports to verify successful patching.
Keep in mind, patching workstations is extremely important and not to be taken lightly, especially those which leave your office and travel. Vulnerable third-party applications and plugins can leave our out-of-office users at a heightened level of exposure, allowing their computers to become compromised. Then, once those devices make it back on the network, the attackers already have an inside foothold.
Hopefully, everyone understands just how important patching is and in larger environments a patch management system is going to be the best option. It’s also a good idea to keep up with InfoSec news so you know sooner rather than later when new serious vulnerabilities are discovered and patched, ensuring you keep your infrastructure secure!
You may need to get management’s buy-in to purchase security solutions, such as a patch management product. Keep in mind, a Cost-Benefit Analysis (CBA) may come in handy when trying to get approval for funding. IBM publishes an annual “Cost of a Data Breach Study”, and in 2018, the average cost of a data breach was $3.86 million. It was broken down to $148 per individual record. Those figures, along with all the breaches in the news, may help you to gain the necessary funding. Good luck!