How to make sure patch management occurs throughout your organization, from the server team to outsourced infrastructure.

There is a saying in the dental industry, dentistry is not expensive, neglect is. Oh how true that is! So many of us forget to go to that six month dental checkup, and when we do finally arrive we’re always surprised if we have issues with our teeth.

Proper hygiene in the cyber security world is no different. When you properly plan (dentist visits), deploy tools (floss, brush, mouthwash), manage (floss, brush, mouthwash frequently) and remediate issues there is a good chance your audit or assessment (dental visit) will come up relatively clean. In terms of your security program, if you are that one person who wants to hang on to that Microsoft Windows NT 4.0 system, to which mainstream support ended in 2002, you are going to have issues. From a security standpoint, applying basic hygiene (i.e. patches) is mitigating vulnerabilities and significantly reduces the opportunities for malicious people to start exploitation. Many identified vulnerabilities can be resolved through a comprehensive, systematic approach to patching and configuration changes.

Patch management (hygiene) is not an uncommon challenge for organizations. I have observed that the typical reason for an inefficient patch management program is a staffing problem, not a technical problem. Ironically, many organizations have the technology (toothbrushes, floss, etc.) to deploy a significant number of the patches required, but they lack the engineering cycles (laziness, not budgeted or assigned responsibility) to consistently identify and execute on the patches that need to be deployed.

Basic security hygiene needs to occur throughout your entire organization and encompass the server, end user computing, networking and software development teams to any outsourced infrastructure that is either in the form of SaaS, PaaS, IaaS, etc.

To put this into perspective, according to the National Vulnerability Database (NVD) which is the U.S. government repository of standards based vulnerability management data, 7,937 vulnerabilities were reported in 2014 and in 2013 the number was 5,186. That is a staggering 53 percent increase year over year.

In addition, basic hygiene begins with some excellent advice from The National Institute of Standards and Technology (NIST), which says that organizations need to carefully consider the relevant issues related to timing, prioritization and testing when planning and executing their enterprise patch management processes.

An organization can help themselves immensely by first keeping up-to-date with issues. So starting today, add monitor security alerts to your daily routine of reading the local newspaper and drinking your morning coffee.

A few suggestions you should subscribe to for help with your security management:

  • The SANS @RISK Consensus Security Alert newsletter provides in-depth analysis of the latest vulnerabilities, including remediation instructions.
  • US-CERT offers mailing lists and feeds for a variety of products, including the National Cyber Awareness System and Current Activity updates.
  • The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.
  • CVE® International is free for public use and is a dictionary of publicly known information security vulnerabilities and exposures.

According to the recommendations of regulations standards and frameworks such as ISO 27001, HIPAA, and PCI-DSS 3.1, high-risk vulnerabilities should be remediated within a reasonable time frame. PCI-DSS 3.1 has the most clearly defined requirement with a deadline of remediation within 30 days from the time of discovery, and I would echo this suggestion for any organization.