Patch management often presents conflicting demands on IT organizations charged with ensuring system security while optimizing system reliability and integrity. Because the time between discovering a system vulnerability and the emergence of an attack is declining, IT organizations are under pressure to apply patches before adequate testing, and without system downtime. A sound patch management strategy is a critical part of any secure enterprise. Baseline the Environment: Developing any patch management plan begins with a firm understanding of the current enterprise. Data must be gathered on the configuration of every server, workstation, and network component in the system. Such data is necessary when evaluating the risk and therefore the necessity of particular patches. This baselining may be performed as part of a larger configuration management and risk assessment effort. Although data may be gathered manually, automated tools exist which will do the same work while also keeping the data current. Vulnerability scans can be used to discover services that should be removed or disabled. Once data is gathered, machines should be brought to the same benchmark security risk level. For servers, an assessment must also be made of their criticality to the enterprise. Change control documents and procedures should be developed, particularly if server hardware and operating system maintenance is performed by one group while software application maintenance is performed by another. Identify, Evaluate, and Plan: Keeping current with system updates and patches can be overwhelming. Not only are there often many, but decisions about which are critical, which are merely useful, and which are unnecessary or even potentially harmful, must be made quickly. Automated tools can make the identification and evaluation stage easier by monitoring the current patch status of the server or workstation (or scanning it on demand) and comparing the status with the ideal configuration for the system, producing recommendations for patch installation. Perform Test Deployment: Before deploying patches to the wider enterprise, deployment should be conducted in a test environment that mirrors the production environment. At a minimum the environment should represent all critical applications, and ideally, all enterprise platforms. If replication of the production hardware is not possible, at least patch compatibility with operating systems and applications should be tested. Test deployment should begin with the least critical servers first. Deploy and Report: New tools for patch distribution can greatly simplify deployment. Tools such as the Microsoft Systems Update Services audit the enterprise, download patches from a central database, and manage their installation. They may also analyze dependencies and provide rollback features. Patches can be advertised, downloaded, and installed by clients according to security settings determined by a group security policy. Such solutions exist for Windows as well as UNIX/LINUX systems; cross-platform patch management solutions are also available for heterogeneous enterprises. Enterprises without these tools can use login scripts or place patches on intranet sites for users to install themselves. Patching of mission-critical servers should be done manually during off-peak hours in case recovery is necessary. |
