See Previous Issue: Why is Patch Management so Complex?
“At the time of the breach, Equifax’s internal IT management process failed to establish clear lines of accountability for developing IT security policies and executing these policies” – US House of Representatives Committee on Oversight and Government Reform Report: The Equifax Data Breach, December 2018
In my previous article I talked about the complexity of patch management and some steps companies can take to make patch management work. So who is responsible for ensuring that patches are identified, tested, and installed? The reality is that many different groups will have operational responsibility for different parts of the patch management process.
Identification, Prioritization and Communication
The need to patch systems can come from many different sources, including:
- Vulnerability discovery – companies should be constantly scanning and monitoring their IT estate to identify security vulnerabilities. Vulnerabilities are typically remediated by either making configuration changes in the vulnerable system (e.g., disabling an insecure service) or by installing a software patch.
- Vendor patch notices – suppliers of 3rd party software (e.g., Oracle, Microsoft) provide periodic patches for their software. Some of these patches fix functional bugs in the software, while others address security vulnerabilities. Microsoft issued thousands of security patches for their software in 2018.
- Open source communications – there are many open-source and government-sponsored services that provide information about known vulnerabilities in commercial and open-source software. A common service used by cybersecurity professionals is US-CERT which is run by the US Department of Homeland Security. In 2018, US-CERT reported over 16,000 vulnerabilities.
Companies need a robust process to identify when and where patches are needed to be installed. This requires an information intake process where cybersecurity and technology experts subscribe to and review multiple information sources and identify actions that are needed.
The key here is to quickly review information as it becomes available and then determine the criticality to patch and prioritize the actions that are needed. Typically patches are prioritized, for example: Critical, High, Medium, Low. Each category has a timeframe for implementation of the patch (e.g., Critical may require installation within 48 hours).
Once a patch has been analyzed and prioritized, information must flow to those system administrators that will need to test and install the patch. Companies should have multiple methods of distributing information to administrators.
System administrators should also be encouraged to subscribe to relevant external vulnerability and patch communications to provide additional redundancies in the communication process.
The challenge is how to ensure that you reach all the appropriate parties. This requires an understanding of what technology is in place in the organization, and knowledge of the IT operational personnel administering these systems.
Test and Install
IT operational system, network and database administrators receive the information and instructions regarding the vulnerability and related security patch installation instructions. They should test and install patches based on the prioritization provided.
This may require coordination with other business and IT personnel as the patching may require a system outage or restart. Testing normally occurs on non-production environments before being deployed to production systems. Users may need to perform testing to validate the system continues to function as expected.
The challenge here is that testing and installation takes time and may require other tasks to be deprioritized. Communication and coordination with the business owner and users is important. Coordination may also be needed across different IT teams to ensure the patch is adequately tested and deployed.
Given the volume of IT vulnerabilities and patches, companies should consider using enterprise patching automation solutions to help with the deployment of patches. These tools automate the installation process and report back when patches are installed.
Cybersecurity personnel should validate patch installations through scanning and analysis tools and feedback provided by enterprise patch automation tools.
Someone in the management hierarchy should be designated to ensure the overall patch management process works and receive feedback on the state of patching in the IT estate.
The Role of Executive Management
Far too often patching gets deprioritized because it is like routine maintenance. It is not considered fun or “sexy” compared to other IT projects. Often it takes a back seat to more important projects. Business leaders need to recognize this and ensure they are allocating resources and time to patching. There should be clear escalation paths when patches are not installed on schedule. Management should receive regular metrics and updates to monitor progress.
A Patching Management Policy should set out patching expectations, roles and responsibilities, and measures to monitor the effectiveness of the patch management process. Ongoing education and awareness of all patching stakeholders is required to ensure the policy continues to operate as intended.
The patch management process should be periodically reviewed by Internal Audit (or an external consultant) to provide executive management with assurance that the process is operating as intended.
Questions for Executives
Questions for your organization to consider:
- Has the Executive team made a clear commitment to patch management as an organizational priority?
- Have adequate resources been assigned to ensure patches are deployed in accordance with your security policy
- How do senior executives know that the patching processes are being followed?
- Are patching processes regularly reviewed by internal audit or external advisors?
Next issue: You Can’t Patch What You Don’t Know
Contact Graeme to schedule a time to speak to your Board or Executive Team.