Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4 Steps For Trimming Patch Management Time

The heat is on to protect your systems from the newest exploits; here's a look at how to speed up patching without causing problems

Special to Dark Reading

The time it takes hackers to exploit a vulnerability continues to shrink. While there's not a lot you can do to speed up the time it takes vendors to develop and distribute a patch, there are reasonable and prudent measures that can reduce the amount of time it takes to deploy it. Yet expediting the patch process remains one of the key factors in mitigating risk and remediating vulnerabilities.

How much time can -- or should -- you trim from the process, and what are the benefits and risks of speeding up patch deployment? Depending on the nature of systems, resources, and configurations, the answer to that question will vary from organization to organization, and often among data centers and operational groups within organizations.

There are steps you can take to whittle away at patch deployment time and without introducing the risks -- some of them potentially catastrophic, such as system or network downtime -- of deploying patches too quickly. Testing every patch, for instance, takes time, but undoing the unwanted effects of an untested patch -- a router patch, for instance, that crashes your router -- takes far more time. Make sure, as well, that the vendor has tested the patch that's being released: A few years ago, Microsoft scrambled to patch an Internet Explorer bug that fixed one vulnerability but opened up another one. Keep an eye on the news as you're keeping an eye on your test beds: Flawed patches tend to get attention quickly.

Following are four simple steps that can save time while increasing the likelihood of effective and untroubled patch deployment.

1. Level the patching field.

Not all systems or configurations are created equal, with some of the most critical bringing their own time requirements and timing factors into the patch process. Scheduling a patch deployment for the PCs in your accounting and bookkeeping departments is less disruptive than finding a convenient time to patch the Exchange Server that your entire business depends on to generate the money the bookkeepers are tracking.

Having a solid and ongoing sense of your organization's systems and configurations, most critical and less-than-critical apps, and, above all, the level of risk that vulnerabilities carry is perhaps the most important step you can take to prioritize your patching process, moving the most likely exploited vulnerabilities to the head of the patch list, which buys you time in the scheduling of less-critical patches. A critical Windows server patch, for instance, would rank as a high-priority patch over patching an application used by just one department.

"An effective patch priority strategy follows the lines of disaster recovery and business continuity planning," says Ranny Grubb, CTO at Virtual IT. "Patch prioritizing requires applying the most effort toward the applications that your business is most reliant on for continued operation."

Grubb suggests that patch scheduling and timing match the level of risk the vulnerable application poses. "Be aware of where your most significant exposure lies, which is most frequently on the perimeter, where your systems meet the Internet," he says. "Internal applications, which are not accessed, externally are important, but not as time-critical in terms of patching as those exposed to the larger world."

Time-saver: Develop a patch priority list based on business criticality: Your business continuity/disaster recovery plan is a good starting place for establishing a hierarchy of patch deployments that will see the most critical exposures patched first, with lower risk or lower exposure vulnerabilities patched on a less fast-paced (and, ironically, less time-consuming) schedule.

2. Know which systems impose their own patch schedule.

Not all systems or configurations are created equal, either, with some of the most critical bringing their own time requirements and timing factors into the patch process. Does deploying a patch require a reboot of affected systems? Does patch deployment and vulnerability remediation call for taking down a critical server or other component?

By knowing in advance that server A, for example, is down for regular maintenance for a certain amount of time every week (or other period), you also know in advance the likeliest and most efficient time to deploy a necessary patch.

This information itself can exert advantageous ripple effects throughout your overall patch process and efforts to reduce patch deployment time. In "The Laws of Vulnerabilities 2.0," Qualys CTO Wolfgang Kandek notes that, "Remediation may not be possible on all systems, such as those with criticality or uptime constraints. Consequently, IT administrators should segment their systems into fast patch and slow patch pools and review the possibility of using mitigating technologies for protecting the slower patch pools. The existence of a fast patch pool has the additional benefit of gathering additional in-house experience related to the application of the patch and its potential side effects."

In other words, while you're waiting to patch one system, use your resources to patch others.

Time-saver: Maintain a list of critical systems' regular maintenance and planned downtime schedules, and plan patch deployment accordingly, dealing with other more readily available systems in the meantime. Review and update system maintenance schedules (and their effect on other schedules) on a regular basis.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.