Although there are many different ways hackers can try to gain access to your network and information resources (including social engineering and use of lost or stolen passwords), the exploitation of unpatched software is one of the most common vectors used and is often one of the most effective for the hacker.
To manage the software on your network and to ensure that it is up to date, an effective patch management policy is needed. Here are some points to remember when creating or reviewing your patch management policy.
- A patch management policy needs to find the right balance between reducing your organization’s vulnerability to outside attack while ensuring that applying the patches doesn’t interrupt normal business.
- Define a workable policy for patch testing. Patches to end user software like Adobe Flash Player or Adobe Acrobat can be installed with minimal testing. However patches to your database server need rigorous testing before being applied.
- How competent is the patch provider? Should automatic updates be accepted without question? Maybe updates from Adobe (for Flash and Acrobat Reader), Google (for Chrome), Mozilla (for Firefox) etc should be trusted. However software companies aren’t immune to releasing bad patches. Read how Microsoft released a patch which broke VMWare’s View Client.
- Understand the priority of patches. Vulnerabilities which are being actively exploited should be considered higher priority to those which are theoretical. If patches are released in response to an actual incident consider applying the patches as soon as possible.