Patch Management: Why Are We Doing This?

Happy Exploit Wednesday!

I will go over Patch Management, and why it is important. Hopefully nothing of yours is burning right now. As for the Linux folks reading this, just know that “I-told-you-so’s” don’t win friends, despite how right you are.

Patch management plays a vital role in safeguarding our devices and protecting them from potential vulnerabilities. That is a quick summary overall, but let’s see about navigating some specifics. 

Why is Patch Management Important:

Security: Patch management addresses vulnerabilities in your software and applications, making them less susceptible to cyberattacks. This practice plays a crucial role in reducing the overall security risk faced by your organization.

System availability: By keeping your software and applications up to date, patch management contributes to their smooth operation, supporting uninterrupted system availability and minimizing downtime.

Compliance: As cyber threats continue to rise, regulatory bodies often require organizations to adhere to specific compliance standards. Patch management is an essential component in meeting these standards and maintaining compliance.

Enhanced features: Patch management goes beyond fixing software bugs; it also includes updates that enhance features and functionality. These patches ensure that you have access to the latest and most advanced offerings of a product, providing you with improved capabilities and user experience.

But that isn’t all, because Patch Management is a part of Vulnerability Management somewhat.

Vulnerability Management vs Patch Management is important, because when you have a vuln that shows up on the radar of your vulnerability scanner, you have some options:

1. Patch  the affected assets for the vulnerability. 
2. Accept the risk of the vulnerability, and do nothing. 
3. Consider the possible implementations of a compensating control to address the vuln indirectly.

In the case of #1, this is where Patch Management comes in. You download the patch from Microsoft or whatever vendor is associated with that asset/device, and you are good to go. 

In the case of #2, You accept the risk of the vuln. This should be documented as to the justification of why this should be accepted. The reason for the documentation is because some industries, such as finance, that go through compliance assessments such as the PCI DSS must have that documentation of accepted risk to provide to the auditors.

Case #3 is a topic that can be as deep as it is wide. Compensating controls can be put in place when the vulnerable asset does not have a patch in place to protect it. 

An example of this would be a Windows computer that has an SMB vulnerability. Instead of accepting risk or patching, perhaps you would adjust your firewall rules to disallow any communication to or from port 445 (SMB) on the network.  This does not fix the vuln on the Windows computer itself per se, but ensures that attackers cannot readily exploit it.

This is a rather brief overview of Patch Management, but if you were reading this, I hope you were able to understand the process, and why it aids to help your overall security posture. 

If you have any questions, feel free to inMail me.