Security Patch Management

What is Patch
Patches are additional pieces of code developed to address problems (commonly called “bugs”) in software. Patches enable additional functionality or address security flaws within a program. Vulnerabilities are flaws that can be exploited by a malicious entity to gain greater access or privileges than it is authorized to have on a computer system. Not all vulnerabilities have related patches, and system administrators must be aware not only of applicable vulnerabilities and available patches but also other methods of remediation (for example, device or network configuration changes, employee training) that can limit the exposure of systems to vulnerabilities.

Why Patch is important?
Timely patching of security issues is generally recognized as critical to maintaining the operational availability, confidentiality, and integrity of any system. However, failure to keep operating system and application software patched is one of the most common issues identified by security and IT professionals. New patches are released almost on a daily basis, and it is often difficult for even experienced system administrators to keep abreast of all the new patches and ensure proper deployment in a timely manner.

Most major attacks in the past few years have targeted known vulnerabilities for which patches existed before the outbreaks. Indeed, the moment a patch is released, attackers have been known to reverse engineer the patch, measurable in days or even hours, identify the vulnerability, and develop and release exploit code. The time immediately after the release of a patch is a particularly vulnerable time for most organizations because of the time lag in obtaining, testing, and deploying a patch.

Does Patch solve every problem?
It’s true that patching is the way to mitigate many well-known vulnerabilities. However, many other vulnerabilities cannot be fixed by simply updating to the latest product version. Product updates require tweaking and reconfiguring various system parameters and may introduce new vulnerabilities. Vulnerability management was born of a need to intelligently prioritize and fix discovered vulnerabilities, whether by patching or other means.

So if you are busy every Tuesday implementing the latest Microsoft patches, but you’re not doing anything to eliminate other nonpatch-related vulnerabilities during the other days of the month, you are not managing your vulnerabilities adequately.

Vulnerability management alone does not fix vulnerabilities. Patch and configuration management can assist in doing so, and antivirus software seeks to block or eliminate identified malware. Simply stated, vulnerability management helps managers understand network assets, identify weaknesses, measure security control effectiveness, enforce policy, and assess the success of remediation efforts. [IT Security Interview, Chris Butler 2007]