A Non-Technical Look at Patch Management (Part 1 of 2) - WST

At 10-D Security, we perform a lot of vulnerability scans. An internal vulnerability scan is an essential part of helping our clients identify if their patch management (or vulnerability management) process is working. The resulting reports are detailed, technical, and have a lot of numbers. But what does it all mean? Understanding the testing results enough to know whether there is a problem can sometimes be challenging for management responsible for overseeing the process. Join us for the first of a two-part series on the fundamentals of patch management.

Let’s start by quickly reviewing what patch or vulnerability management does for an organization. Servers, workstations, laptops, and even printers and firewalls, all run software. Periodically, vendors release updates or “patches” for software. These code updates often fix security issues that have been discovered and applying these updates quickly and consistently is an essential part of keeping a network secure. The problem is that this is easier said than done! Let's look at an example of a simple network:

40 workstations or laptops each running:
• Windows
• An average of 10 different apps (Microsoft Word, browser, messaging application, security software, etc.)
• Various other software designed to make the hardware function correctly
5 servers, each running:
• Windows
• An average of 10 different server apps (databases, line of business software, management apps, etc.)
20 miscellaneous network devices, such as printers, copiers, network hardware, firewalls, etc. Each of these has embedded software called firmware that must be updated as well.

The math shows that even in a small, relatively simple network, an administrator likely has almost 500 different apps to keep updated. Microsoft releases patches at least monthly, with emergency patches occasionally released in addition to these. Other vendors release patches as needed, sometimes with little notification, meaning that sometimes network admins need to go out and look for them.

Once updates are released, administrators need to:

Review patches and test them to ensure they won’t cause any issues
Approve and apply patches on the relevant systems
Follow up and see what systems may not have received the patch

After those issues are resolved, it is often time to look at applying the next round of updates...and so the cycle starts over again.

To be fair, there is software to assist with this. But even automated patch management software needs babysitting, and there are plenty of moving parts. Computers will be computers after all, and things don’t always work right.

Unfortunately, the difficulties don’t change the fact that applying patches and updates is critical to keeping your systems secure. Unpatched vulnerabilities are often a way for attackers to gain a foothold in your network. How do you know if patches are being applied correctly?

An internal vulnerability scan or assessment is a baseline security test that allows you to see what updates and patches may be missing on your network. But as mentioned above, these reports can be long, technical, and difficult to interpret if you are not a seasoned network administrator.

Next week, we will take a look at how you can interpret scan summary results to know what is a “good” scan result, and what may be a “not so good” scan result. Stay tuned!

Authored by: Jeremy Johnson, OSCP, CISSP