A successful patch management process is a critical part of any network, no matter how many or how few systems you are maintaining. There are a few key things you should include to maximize the effectiveness of your patching process, and a few key things that can really cause you problems. Here are the top three in each category.
The top three Patch Management Do’s
1) Do deploy a system that can patch more than just the operating system
Consider all the third party apps and plugins, like PDF readers, media players and codecs, browser plugins, and more that are on all of your systems. Adobe, Apple, and others release patches several times a year, and many times these are in response to exploits already in the wild. Manually updating Flash on every workstation you have could cost more than the price of a patch management system, and you will need to update Flash more than once a year.
2) Do test patches before deploying them
While every vendor does everything they can to test patches before releasing them to customers, it is impossible to test every single possible combination of software, configuration, and option that could be in the wild. Too many times has a patch been deployed, only to break a mission critical function. Have a set of test servers and workstations, and make sure you QA any patches before you deploy them. VMs that you can snapshot and revert are great for this.
3) Do establish regular maintenance windows for patching
I once worked for an organization that needed the CIOs of seven different divisions to all agree on a maintenance window. If any one of the seven had something else to do on a planned maintenance weekend, the maintenance got postponed. It took a year before we could implement the upgrade that took less than an hour, because they would never approve a 2AM Sunday morning window because something else might be going on. The point is, patching must take priority, and having a regularly scheduled window that supersedes other concerns helps make sure you can get systems patched.
The top three Patch Management Don’ts
1) Don’t assume you will hear about issues before they are a problem
Subscribe your IT distribution list to the security advisories for every vendor you use. Add their RSS feeds to your reader. Follow security related accounts on Twitter. When a zero day exploit hits, you want to know about it ASAP.
2) Don’t assume your systems are patched
Whichever system you use, make sure you check the reports and verify that the patches you pushed were successfully deployed to all systems. Running security scans after that is another great way to confirm that all your systems were successfully updated. And don’t forget about those users who work remotely. They need to be patched too, and might not connect to your internal network often.
3) Don’t use a solution that only patches the operating system
Setting every system to update automatically is better than nothing. Using WSUS helps you centralize your patching, and creates some great reports. And while the price is hard to beat, you get what you pay for. Patching only the operating system and Office products leaves many third party apps unpatched, and that may lead to a system to be exploited. This may sound a lot like the first DO, but it is that important, and worth repeating.
If you follow the first three points, and mind the last three, you are well on your way to deploying a successful patch management strategy that will help secure your systems, and your job.