by Jessica Dore
When it comes to car maintenance, we know how to keep ourselves safe on the road: have your breaks checked at regular intervals; get an oil change as recommended by the manufacturer; and if you have a hole in your tire, get it patched before it becomes flat.
IT patches are similar in nature—essential repairs that keep your company’s infrastructure up and running safely. Without them, computers and other devices are ticking time bombs, susceptible to data breaches, viruses, and malware. Similar to a driver with a hole in their tire, IT security professionals should apply computer software patches to repair flaws and keep hackers out.
Even the most seasoned IT professionals should have a plan in place to keep up-to-date on patches and keep their IT environment safe and secure. Here are four steps to get started.
1. Define your patch process
A variety of tools are designed to help track available patches for your operating system and third-party software. These tools will help you establish how often to patch, determine how to execute patches and even deploy the patches. Windows Server Update Services is commonly used to track patches for Windows operating systems, while SolarWinds is a popular tool for third-party software patches.
In outlining your patch process, you should also determine if you plan to conduct internal and external vulnerability scans. Vulnerability scans identify bugs in software. At Rehmann, we often run both internal scans—determining potential harm a disgruntled employee could cause, and external scans, taking on the role of an outsider who could try to access devices from the perimeter.
Determining a regular cadence for patch implementation is important, too. At the very least, patches should be implemented within 30 days of their release. Major software providers, like Microsoft, offer monthly roll-outs of available patches, while other providers may release patches once per week. Again, the tool you utilize to track patches will be critical in identifying what’s available.
2. Prioritize your patches
Once your patch process has been developed, you should immediately work to identify any critical security patches. Providers will often share patches in order of importance and will even break protocol by issuing an immediate patch update for those of critical nature. Stay up-to-date on important patches and other issues top of mind in the industry by subscribing to and reading IT security publications. You may also choose to consult with an outside expert to make sure critical patches are always implemented in a timely manner.
3. Implement your patch process
With critical patches underway, it’s time to put your patch process to the test. With any new patches, it’s helpful to test them first to make sure they don’t conflict with—or even break—any other programs on the network. Many organizations have test environments designed with this process in mind. If you do not have resources to conduct a trial run with patches in a test environment, research the patch online to see what issues may have already been identified by other users. Many IT professional forums exist as well and are a great resource on all aspects of the patch process.
4. Deep-clean your IT environment
Finally, you should deep-clean your IT environment. If you have any XP systems, Server 2003 systems or other obsolete equipment, it should be removed immediately. Systems like these, which are the end of life, no longer receive patches and therefore present tremendous vulnerabilities to your entire IT infrastructure. Replacing obsolete programs can require a large monetary investment, but the system compromise that could result from not doing so is often far greater.
If you partner with an external IT provider, make sure they are conducting proper patching. Do your own spot-checking to make sure everything is as it should be, and even ask your provider for monthly reports, so you always know the status of critical patches.
This is also a good time to utilize your previously-identified vulnerability scan. You should also conduct a malware scan. While malware scans extend beyond the realm of patching, they’re another asset to address any issues that could compromise the system. Available tools will clean the malware from your system.
Hackers work hard to find vulnerabilities in the systems we rely on every day, but it is possible to get out in front of them with the right patch process in place. Roll up your sleeves, take a look at your capabilities, and chart the path forward. Once you do, you’ll be well-positioned for any potential compromises that come your way.
About the Author
Jessica Dore leads Rehmann’s Technology Risk Management Group, overseeing cyber security assessments, information security assessments, vulnerability, and penetration testing, social engineering testing, information security training and Sarbanes-Oxley Act (SOX) 404 consulting engagements for publicly-traded companies. Jessica provides information technology (IT) consulting and security services to a wide range of clients.