Symantec's annual "Internet Security Threat Report" highlighted some major enterprise concerns, with one of the...
biggest being a lack of proper vulnerability patching. Specifically, the report stated that over the last three years, more than 75% of websites scanned by Symantec contained unpatched vulnerabilities. What should CISOs do to make security patch management a bigger priority for enterprises? Can CISOs work with IT administrators and website managers to tackle the problem, and if so, how?
Patching is a prevention measure that protects systems from unauthorized users, malware or errors that adversely affect normal processes. Products such as Microsoft Office, antivirus, network devices, Linux and Windows servers, midrange computing, and large mainframes all need security patching, program temporary fixes or updates. Updates are different from patches, but it's helpful to discuss them since some updates not only provide enhancements to products but may also eliminate errors and possible vulnerabilities. Security patching can be automated but many organizations choose to selectively patch due to limited time or system availability constraints. Selective security patching is typically done manually during scheduled system outages.
Some organizations are diligent about security patching on Patch Tuesdays, while others may still have patches to implement that are over three months old. Most organizations make every effort to maintain current patches within 30 days of patch notices. However, there are a significant number of companies that do not consider patching a priority until the vulnerability has been exploited and results in an outage or breach, or until it's required to attain a compliance with standards such as PCI DSS. Vulnerability scanners are helpful tools that can identify critical patches and provide enterprises with better patch management.
Security patching can and should be done by system administrators, but security teams may be in charge of monitoring critical security patches. Security teams may also request the testing and application of patches within the standard 30-day period. Where automatic patch updates are not used, patch implementation should be subject to the installation's change control procedures.
In addition to maintaining current patch levels, enterprise CISOs should take certain steps to strengthen the patching process, including:
- Outline a vulnerabilities and patching policy that the enterprise uses to handle the identification of vulnerabilities, roles and responsibilities related to patching activities, sources for identifying vulnerabilities and the sources for identifying required patches;
- Establish a patching committee of technical management and staff who are responsible for identifying vulnerabilities and ensuring that the requisite patches or mitigating actions are prioritized and applied;
- Update the patch management software that automatically keep desktops, laptops and remote users up to date with the latest security patches and software updates;
- Subscribe to an alerting service -- typically from vendors for software requiring patches -- that will supply information of new vulnerabilities and associated patches; and
- If it is subject to PCI DSS compliance, make sure the enterprise meets PCI DSS requirement 6.2, which requires all system components and software to install applicable vendor-supplied security patches within one month of release.
Security patching can be tedious and seemingly unrewarding work, but when they're kept current, patches effectively -- and without fanfare -- prevent major vulnerabilities from being exploited. However, if security patching is neglected, eventually it will result in expensive interruptions that will require remediation resources after a breach or outage.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Check out this introduction to automated patch management software
Find out why software deployment tools and patching are critical to endpoint security
Discover the best combination of methods to make patch management easier
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading