Every admin knows the importance of good patch management, but not every admin knows the tips and tricks that make for a great patch management strategy. There is so much more to patching than just running Windows Updates, and in this article we’ll share with you the nine tips for great patch management to prevent your network from having vulnerabilities.
1. Stay informed
You can’t fix it if you don’t know it’s broken, so staying informed is the right place to start. Subscribe to the security and patch bulletins from your operating system vendors and your critical application vendors. You really want to consider subscribing to a third party alert like the ones offered by SANS, Bugtraq, or others so you are aware of vulnerabilities even when there aren’t patches yet, and also to cover the smaller but no less important applications that are on your network.
2. Test your patches
I’d rather deploy an untested patch than not patch at all, but I’d really prefer to test all patches first. Whether you use a full-fledged QA environment, your DR/BCP (Disaster Recovery/ Business Continuity Plan) infrastructure, a scaled down lab running on virtualization, or just a subset of your workstations and servers, test all patches before you deploy them across the board. You want to fix problems, not
introduce new ones, and you never know when one vendor’s patch might conflict with another vendor’s app.
3. Have a regular maintenance window
Patching is critical and should not take a backseat to other activities unless absolutely necessary. By establishing and sticking to a regular monthly maintenance window, the rest of the business can plan around patching so you won’t have to worry about a business impact when patching is required. Just reserve the right to deploy emergency security patches outside that window in case a zero-day exploit is
in the wild.
4. Patch applications
This is where using a good patch management application becomes absolutely essential. Keeping up with all the third party applications installed on your servers and workstations will make manually patching those impossible, and there are new exploits for PDF readers and Flash players almost every month. Those are probably on every workstation you have, but are just the tip of the iceberg. You
probably have every admin’s favorite text editor installed on half your servers, protocol analyzers and compression tools…just because users don’t log onto it doesn’t mean you don’t have to worry about applications installed on a server.
5. Have a rollback plan
Even the best testing plan cannot cover every possible scenario and conceivable combination of other apps, specific configuration settings, and other variables, so make sure you have a way to roll back any patches you do deploy. Again, a patch management application can be a real lifesaver here by being able to install as easily as it installs any updates.
6. Use management-supported policy to ensure compliance
Patching shouldn’t be optional. Senior management must support and promote patching as an expected and required part of network management, and make it clear to all admins that it is not an optional activity.
7. Use logging and reporting to confirm compliance
Patch management applications log all their activities and can generate reports on a schedule or on demand to report on the status of the systems on your network. Use these reports to provide information to management, and also to verify that all systems on your network are up-to-date and in compliance with your patching policy.
8. Investigate discrepancies
If a report indicates that a system missed a patch, investigate it. Determine why the patch failed, and either resolve that issue, or manually apply the patch as appropriate. A good patch management application can do the heavy lifting for you, but it doesn’t mean you don’t have to do anything at all. Go a step further by spot checking systems with a vulnerability scanner to make sure you aren’t missing
anything.
Use these nine tips to help ensure you have the best, most effective patching solution which requires minimal effort from your IT admin.
Guest Post by Casper Manes
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.
All product and company names herein may be trademarks of their respective owners.
To know more about guest post rules in this blog please follow the link below.
1. Stay informed
You can’t fix it if you don’t know it’s broken, so staying informed is the right place to start. Subscribe to the security and patch bulletins from your operating system vendors and your critical application vendors. You really want to consider subscribing to a third party alert like the ones offered by SANS, Bugtraq, or others so you are aware of vulnerabilities even when there aren’t patches yet, and also to cover the smaller but no less important applications that are on your network.
2. Test your patches
I’d rather deploy an untested patch than not patch at all, but I’d really prefer to test all patches first. Whether you use a full-fledged QA environment, your DR/BCP (Disaster Recovery/ Business Continuity Plan) infrastructure, a scaled down lab running on virtualization, or just a subset of your workstations and servers, test all patches before you deploy them across the board. You want to fix problems, not
introduce new ones, and you never know when one vendor’s patch might conflict with another vendor’s app.
3. Have a regular maintenance window
Patching is critical and should not take a backseat to other activities unless absolutely necessary. By establishing and sticking to a regular monthly maintenance window, the rest of the business can plan around patching so you won’t have to worry about a business impact when patching is required. Just reserve the right to deploy emergency security patches outside that window in case a zero-day exploit is
in the wild.
4. Patch applications
This is where using a good patch management application becomes absolutely essential. Keeping up with all the third party applications installed on your servers and workstations will make manually patching those impossible, and there are new exploits for PDF readers and Flash players almost every month. Those are probably on every workstation you have, but are just the tip of the iceberg. You
probably have every admin’s favorite text editor installed on half your servers, protocol analyzers and compression tools…just because users don’t log onto it doesn’t mean you don’t have to worry about applications installed on a server.
5. Have a rollback plan
Even the best testing plan cannot cover every possible scenario and conceivable combination of other apps, specific configuration settings, and other variables, so make sure you have a way to roll back any patches you do deploy. Again, a patch management application can be a real lifesaver here by being able to install as easily as it installs any updates.
6. Use management-supported policy to ensure compliance
Patching shouldn’t be optional. Senior management must support and promote patching as an expected and required part of network management, and make it clear to all admins that it is not an optional activity.
7. Use logging and reporting to confirm compliance
Patch management applications log all their activities and can generate reports on a schedule or on demand to report on the status of the systems on your network. Use these reports to provide information to management, and also to verify that all systems on your network are up-to-date and in compliance with your patching policy.
8. Investigate discrepancies
If a report indicates that a system missed a patch, investigate it. Determine why the patch failed, and either resolve that issue, or manually apply the patch as appropriate. A good patch management application can do the heavy lifting for you, but it doesn’t mean you don’t have to do anything at all. Go a step further by spot checking systems with a vulnerability scanner to make sure you aren’t missing
anything.
Use these nine tips to help ensure you have the best, most effective patching solution which requires minimal effort from your IT admin.
Guest Post by Casper Manes
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.
All product and company names herein may be trademarks of their respective owners.
To know more about guest post rules in this blog please follow the link below.
Comments
Post a Comment