Posted by Dewight F. Kramer, Information Security Consultant, UCD. It should be no surprise that patching, both operating systems and applications, is arguably one of the best things that can be done for increasing cybersecurity. The Verizon 2015 Data Breach Investigation Report stated:
“99.9% of the exploited vulnerabilities were compromised more than a year after the cve was published.”
Also, eight of the top ten exploits for 2014, which accounted for almost 97% of the exploits observed in 2014, were over a decade old. This is not to suggest that newer vulnerabilities don’t require attention – they absolutely do! But with all of the competing priorities in information security and information technology, a mature patch management program is one of the biggest returns on investment to help ensure information security.
It should also be no surprise that UC’s Electronic Information Security Policy (IS-3) requires that:
…personnel should, in a timely manner, update versions of the operating system and application software… (See section III.C.2c.iv., Patch management)
So, what can be done to comply with policy and get the biggest return for effort and money investment? So much! But before jumping to random actions, let’s take a strategic look at improving the maturity of a patch management program. There are five levels of a Capability Maturity Model. Here is a simplified mapping of the levels to aspects of a patch management program.
- Initial/ad hoc – Using sneaker-net (literally running around) to manage updates.
- Repeatable/documented – Develop a reliably repeatable way to identify devices and the software on those devices. Know what needs what patches… Inventory and endpoint management!
- Defined/standards – Defined change management process for patch management and automate where possible.
- Managed/reports – Determine key metrics and create dashboard reports to demonstrate proactive compliance and drive necessary remediation efforts.
- Optimizing/improvement – look where the patch management process can be improved and integrated with other processes.
This is an overly simplistic list, even for a high-level review of patch management, but it illustrates that instead of just starting to patch the devices you happen to work with, step back and get a lay of the land. Identify what devices there are and what patches need to be considered; develop processes that incorporate risk and other processes, e.g., configuration, change and vulnerability management that are appropriate for the environment; automate the processes where possible and take advantage of tools, including endpoint managers, configuration and update servers. Determine key metrics and use the same tools to create dashboards to have insight into the state and health of the environment. Finally, look to continuously improve the process.
There are several tools that can help with a patch management program and they all have their pros and cons. One such generic tool is an endpoint management tool. There are also several publications that can help develop and improve a patch management program, for example, the NIST Special Publication 800-40 Revision 2 and 3. Review some white papers and hopefully you get inspired!
Image credit: Mark Deamer, UC Davis