Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Top 3 Patch Management Do’s and Don’ts

on March 28, 2011

A successful patch management process is a critical part of any network, no matter how many or how few systems you are maintaining. There are a few key things you should include to maximize the effectiveness of your patching process, and a few key things that can really cause you problems. Here are the top three in each category.

The top three Patch Management Do’s

1)      Do deploy a system that can patch more than just the operating system
Consider all the third party apps and plugins, like PDF readers, media players and codecs, browser plugins, and more that are on all of your systems. Adobe, Apple, and others release patches several times a year, and many times these are in response to exploits already in the wild. Manually updating Flash on every workstation you have could cost more than the price of a patch management system, and you will need to update Flash more than once a year.

2)      Do test patches before deploying them
While every vendor does everything they can to test patches before releasing them to customers, it is impossible to test every single possible combination of software, configuration, and option that could be in the wild. Too many times has a patch been deployed, only to break a mission critical function. Have a set of test servers and workstations, and make sure you QA any patches before you deploy them. VMs that you can snapshot and revert are great for this.

3)      Do establish regular maintenance windows for patching
I once worked for an organization that needed the CIOs of seven different divisions to all agree on a maintenance window. If any one of the seven had something else to do on a planned maintenance weekend, the maintenance got postponed. It took a year before we could implement the upgrade that took less than an hour, because they would never approve a 2AM Sunday morning window because something else might be going on. The point is, patching must take priority, and having a regularly scheduled window that supersedes other concerns helps make sure you can get systems patched.

The top three Patch Management Don’ts

1)      Don’t assume you will hear about issues before they are a problem

Subscribe your IT distribution list to the security advisories for every vendor you use. Add their RSS feeds to your reader. Follow security related accounts on Twitter. When a zero day exploit hits, you want to know about it ASAP.

2)      Don’t assume your systems are patched

Whichever system you use, make sure you check the reports and verify that the patches you pushed were successfully deployed to all systems. Running security scans after that is another great way to confirm that all your systems were successfully updated. And don’t forget about those users who work remotely. They need to be patched too, and might not connect to your internal network often.

3)      Don’t use a solution that only patches the operating system
Setting every system to update automatically is better than nothing. Using WSUS helps you centralize your patching, and creates some great reports. And while the price is hard to beat, you get what you pay for. Patching only the operating system and Office products leaves many third party apps unpatched, and that may lead to a system to be exploited. This may sound a lot like the first DO, but it is that important, and worth repeating.

If you follow the first three points, and mind the last three, you are well on your way to deploying a successful patch management strategy that will help secure your systems, and your job.

If you want to implement a network security scanning and patch management tool, GFI LANguard is your own ‘Virtual Security Consultant’. Download your free thirty-day trial.

About the Author:

Ed Fisher is an information systems manager and blogger at several sites including his own site, http://retrohack.com. An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) he has been getting my geek on full-time since 1993, and has worked with information technology in some capacity since 1986. Stated simply, if you need to get information securely from point A to B, he’s your guy. He is like "The Transporter," but for data, and without the car; and with a little more hair.

submit to reddit
 
Comments
Jack Eastman March 28, 20119:24 pm

I can’t tell you how important Do #3 is. I spent 5 years working with a vendor for a very high-demand client, and our scheduling team could never get their apps working because a simple patch to their software was postponed for, no joke, over a year. Maybe it’s inconvenient at times, but the temporary loss of productivity is easily made up over time when you patch critical bugs or errors.

Tana George March 28, 20119:32 pm

We often forget that the technical aspects of patching are just a drop in the sea, compared to all the bureaucracy that goes with it. Your story about the 7 gods that had all to agree on a patch window reminds me how inflexible organizations are. And if something goes wrong, it makes no sense to explain that the reason is that the patch couldn’t be done on time due to bureaucratic rules.

Ed Fisher March 31, 201111:10 pm

Hi Jack,
Glad to hear I am not alone in that…it seems so obvious, yet almost every time I go somewhere new, it’s a new concept to them.
Ed

Ed Fisher March 31, 201111:14 pm

Tana
I like how you changed CIOs to gods…I guess you worked there too! And you’re spot on; every time one of them questioned why a project was still not done, it came back to the fact that without the maintenance window, we couldn’t put in the upgrade necessary to proceed. Come maintenance window time, they would still not approve!
Ed