Patch Management Basics

By

Anthony Rivera, CIO at Access Point Consulting

Patch Management Basics

A patch is a software update released by developers to fix bugs, address security vulnerabilities, or improve the performance and functionality of existing software applications or operating systems. Patches can be applied to various types of software, including operating systems, applications, and firmware. Most compliance frameworks including GDPR, HITRUST, HIPAA, and PCI require adherence to a patch management program.

When an organization discovers a security gap, its IT team makes every effort to deploy a patch before an attacker can exploit it. However, in the case of a zero-day vulnerability, a patch has not yet been released, which significantly heightens the risk. As vendors race to develop, test, and release a patch to resolve the issue, malicious actors are simultaneously rushing to exploit the vulnerability. During this critical period, companies must act quickly, deploying mitigating controls to safeguard their infrastructure and data.

While patches are essential for security, they also present challenges. Vendors do not always provide detailed information about the security improvements included in a patch. After updating your system, you may encounter unexpected issues—such as discovering that certain customized applications, especially those that rely on older versions of Java or .NET, no longer function correctly. Even when the vendor labels the priority and issues a list of all changes with every patch, many businesses won’t have the resources necessary to read each one carefully and understand its impact. It can be difficult to read and understand advisories and CVE records, which tend to obfuscate bugs to protect the reputation of the vendor.

This past summer, the industry faced significant disruption when a patch from CrowdStrike contained a glitch, causing millions of computers worldwide to crash. For many companies, it took several days to recover from the incident, resulting in substantial financial losses.

To avoid such issues, a successful patching strategy requires organizations to establish a clear patch management policy, including Service Level Agreements (SLAs) that define patch-response times. Patches should be prioritized based on their risk level (e.g., CVE score) and the potential exposure the vulnerability presents within the organization's environment. Before a patch is widely deployed, it should be pilot tested with a small group of users to identify and resolve any potential incompatibilities, ensuring a smoother release for the general population.

Aligning your patching strategy with frameworks like NIST can provide a solid foundation, offering a structured approach to prioritizing and addressing vulnerabilities. At Access Point, our standard is to patch critical vulnerabilities within 14 days and high-severity vulnerabilities within 30 days. Additionally, we prioritize more frequent patching for web browsers due to their widespread use and heightened exposure to attacks.

Patch management is a complex endeavor that needs to flex around a company’s resources, compliance requirements, industry, and threat landscape. No one size fits all, but by adopting best practices, you can find a patch strategy that effectively reduces the risk in your organization. If your business does not have the IT or security resources to evaluate and prioritize patches, Access Point can help. We specialize in delivering turnkey solutions and security expertise to address these problems for you.

About the Author

Anthony Rivera is the Chief Information Officer at Access Point Consulting. With more than 20 years of experience in information technology and cybersecurity, Anthony leads the company's efforts in developing innovative strategies to protect organizational assets and data. He is passionate about fostering a culture of security awareness and is committed to educating others on best practices in the field.

Resources

To Enhance Your Cyber Operations

Employing the Concept of “Continuity of Care” in Cybersecurity

Employing the Concept of “Continuity of Care” in Cybersecurity

My wife, Kelly, was a pediatric nurse, having worked in healthcare for over 30 years. I'm biased, but she always got high marks in her profession, from both her peers and from patients for whom she provided care. She provided a level of care that was absolutely critical to ensure patients receive consistent, high-quality treatment across all stages of care. The importance of documentation, communication and a continuity of care was imperative – children’s lives depended on it. But what does continuity of care look like outside the world of healthcare? In the realm of cybersecurity consulting, the principle of continuity is just as vital and plays a pivotal role in safeguarding organizations from evolving cyber threats.

Find out more
Cloud IAM Best Practices – Simplifying Security Without Compromising Access

Cloud IAM Best Practices – Simplifying Security Without Compromising Access

Managing access in the cloud can be stressful. Who should be granted access? What if credentials get exposed? Should you err on the side of security or usability? If you work in Identity and Access Management (IAM), you are likely familiar with these stressors. But there’s good news: Following a few key principles can simplify navigating IAM while at the same time strengthening your organization’s security.

Find out more