What is Inadequate Patch Management?
Patch management is a critical function of maintaining a robust and secure IT infrastructure. Patch management involves identifying, testing, and deploying updates to help keep systems protected from known vulnerabilities. With so many different devices of different types in an organization, it is a difficult task to ensure that they all have the correct patches installed, and installed correctly. Some common patch installation events include1:
Installing patches after restart. Some patches require that a system be rebooted for the patch to take effect. During this process, newly installed patches can go missing, such as when a Windows machine comes back with a ‘Failure configuring Windows updates. Reverting changes.’ message. This update in Windows may fail when trying to upgrade to a newer version of Windows, Windows has too many updates trying to load at once, Windows update causes an issue itself, or existing software installed on the machine is not compatible with the Windows update. Issues like these can be fixed by disabling anti-virus while deploying patches, installing updates in a clean boot state, and clearing the cache.
Test patches. Testing patches in a test environment can prevent installation issues by demonstrating that patches on different hardware with different software versions have had desired outcomes. This does not guarantee that there will be no issues when installing updates, but it does reduce the chances of that.
Roll back. If patch updates cause issues, individual patches can be rolled back by uninstalling them and restoring the machine back to a point before the patch update installation.
If a device falls through the cracks and does not have the most up-to-date patches applied, security risks include:
- Phishing and social engineering attacks
- Security vulnerabilities
- Lost data, data leakage, data theft
- Regulatory compliance violations
- Customer safety risks
Patch management best practices include:
Assessing risk. Analyze your environment to identify all of the risks and design a mitigation strategy.
Identifying vulnerabilities and investigating patches for specific vulnerabilities. Discover which threats have not been patched and learn if specific patches will be effective protection against specific threats.
Creating a patching schedule. Create a schedule noting upcoming releases and implementation times.
Centralizing and automating. Centralized dashboards and automated patch deployment can help with patch management.
Training. Ensure that policies, procedures, and risks are known to employees.
1 Thakur, 2023, “Risks (and Remedies) of Failed Patch Management”