Patch management essentials

Patch management is one of the drudge jobs that CISOs have to assign their teams to do, but it is a basic hygiene tool that helps lower cyber security risk.

Belgium-based security researcher Koen Van Impe reminded infosec pros this week of that in a blog detailing the need to patch Apache Struts, an open source framework for creating Java web applications and used to create Web sites on Windows and Linux systems. The patch fixes a vulnerability, CVE 2017-5638, that allows attackers to execute random code by the web server.

The versions of Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 are vulnerable, so the patch recommended by Adobe is to either upgrade to Struts 2.3.32 or Struts 2.5.10.1.

Which brings us to proper patch management, As Van Impe notes, the days of overseeing the process with spreadsheets is long gone. Today enterprise administrators have a wide range of automated patch management solutions to chose from major vendors (Microsoft, IBM, BMC, Oracle) or mid-size vendors (SolarWinds, LANDesk, ManageEngine, Shavlik Technologies, RingMaster, GFI and Secunia).

As others have noted, Van Impe reminds admins that fixing — and validating — everything as soon as a patch is released isn’t practical considering all the other things the security team has to do. “Define what is important to your business and assess the potential impact of system downtime,” he advises.

“You should also take into account the actual severity of a vulnerability. There are a number of scoring mechanisms that you can use to calculate the severity, such as the Common Vulnerability Scoring System (CVSS). Every organization must determine its thresholds for prioritizing a patch cycle. An organization might declare, for example, that everything above CVSS 8.0 must be patched within one week.”

Patchmanagement.org, which runs a mailing list for security pros to discuss patch related issues, also points out in a guide to essentials that change management is vital to every stage of the patch management process. “As with all system modifications, patches and updates must be performed and tracked through the change management system. It is highly unlikely that an enterprise-scale patch management program can be successful without proper integration with the change management system and organization.”

For CISOs who don’t have a mature patch management processes I found two resources: Start with the U.S. National Institute for Standards and Technology (NIST)  guide to enterprise patch management technologies. It has a useful section on questions admins should be asking to develop useful metrics, such as what is the minimum/average/maximum time to apply patches to X percentage of hosts, and what cost savings has the organization achieved through its patch management processes.

Then look at the SANS Institute’s framework for building a comprehensive enterprise patch management program. “A successful framework includes policy, asset inventory control, risk management, standardization, and metrics,” it points out.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now