9 Top Patch Management Practices for Businesses Security

I've spent most of the past decade in information security, with a pretty big focus on incident response. It never ceases to amaze me how many security incidents (pronounced hacks) customers suffer as a result of unpatched systems. Patch management is not an art form; it's an underappreciated and often ignored part of what should be daily care and feeding of your infrastructure. Here are the nine best patch management practices I've learned over the years:

If your patch management strategy depends upon manual effort, you're doing it wrong. Only the smallest businesses can handle patching by hand. You need a system that can deploy patches to all your systems; workstations and servers.

Automating doesn't mean ignoring. You should be able to see the state of your patch management at any point in time and know exactly which systems are in need of attention.

I lump these two together because they are two sides of the same coin. You need to test your patches; you may also need to roll them back. Good patch management includes both; testing things meticulously, and being able to roll back if the testing missed something.

The operating systems vendors do a pretty good job of making patching a no-brainer operation. It's the third party apps that tend to bite a lot of customers when they aren't looking. Make certain your patch management covers the apps that didn't come with your operating system.

I once worked an incident that ended up costing close to US $100K in down time, remediation, reporting and consumer credit monitoring. The server that was hacked was vulnerable because it was missing a patch. The patch was missing because the system owner wouldn't approve any downtime for patching –therefore no one ever got around to applying a critical patch for a known vulnerability. The hack happened almost a year to the day after the patch was made available. No system should be without a monthly maintenance window, and allowance must be made for emergency patches for zero-day issues.

Don't overlook your hardware. Whether it's your network routers and switches, your wireless access points, or firmware versions on your laptop BIOS, make sure your patch management efforts keep up with the updates for these critical parts of your infrastructure.

Run quarterly audits of those reports, and inspect a random sampling of servers, workstations, and network gear to be sure your patch management solution is being applied appropriately.

Any new system; server, workstation, or infrastructure, should be fully patched before it gets to production. New updates come out monthly and there is no excuse for a brand new system to be plugged in while vulnerable. Patch management is an ongoing process.

It may not sound like it's a part of patch management, but it will help you find new systems that need patching, and others that fall out of compliance. Run regular vulnerability scans against both your internal and external network to help identify new issues as they arise. Schedule them to run at least weekly, compare each new report to the last one, and investigate deltas immediately.

Including these nine best practices in your patch management strategy will help to minimize your risks, reduce your attack surface, and ensure complete compliance with security policy. Patch management is every bit as critical as change management, and requires a lot less paperwork.

All product and company names herein may be trademarks of their respective owners.