|
Home
|
Essentials of Patch Management Policy and Practice
by Jason Chan, @stake
Introduction
It's obvious that patch management is a critical issue. What is also clear is the
main objective of a patch management program: to create a consistently configured
environment that is secure against known vulnerabilities in operating system and application
software. Unfortunately, as with many technology-based problems, good, practical solutions
aren't as apparent. Managing updates for all the applications and operating system
versions used in a small company is fairly complicated, and the situation only becomes
more complex when additional platforms, availability requirements, and remote offices
and workers are factored in.
Just as each organization has unique technology needs, successful patch management
programs will vary in design and implementation. However, there are some key issues
that should be addressed and included in all patch management efforts. This paper
provides a technology-neutral look at these basic requirements. The tips and suggestions
provided are rooted in best practice, so a given patch management program shouldn't
be considered a failure if all items haven't been accounted for. Instead, use this
overview as a means of assessing your current patch management efforts or as a framework
for designing a new program from the ground up.
Security and Patch Information Sources
An organization should also have relationships with their key operating system, network
device, and application vendors that facilitate the timely release and distribution
of information on product security issues and patches. These relationships can range
from weekly or monthly calls with the account manager to simple subscriptions to the
vendor's security announcement list. In addition, public web sites and mailing lists
should be regularly monitored. Such information sources include Bugtraq, the various
SecurityFocus Focus lists, and patchmanagement.org.
Patch Prioritization and Scheduling
The second scheduling plan deals more with critical security and functionality patches
and updates. This plan helps the organization deal with the prioritization and scheduling
of updates that, by their nature, must be deployed in a more immediate fashion. A
number of factors are routinely considered when determining patch priority and scheduling
urgency. Vendor-reported criticality (e.g. high, medium, low) is a key input for calculating
a patch's significance and priority, as is the existence of a known exploit or other
malicious code that uses the vulnerability being patched as an attack vector. Other
factors that should be taken into account when scheduling and prioritizing patches
are system criticality (e.g. the relative importance of the applications and data
the system supports to the overall business) and system exposure (e.g. DMZ systems
vs. internal file servers vs. client workstations).
Patch Testing
Once a patch has been determined valid, it is typically placed in a test environment.
While the perfect test environment will mirror production as closely as possible,
it is important to at least account for the majority of critical applications and
supported operating platforms in your patch testing infrastructure. Many organizations
will use a subset of production systems as an ad hoc test environment; department-level
servers and IT employee systems are typically used in these cases. Regardless of the
available test equipment and systems, exposing the update to as many variations of
production-like systems as possible will help ensure a smooth and predictable rollout.
The actual mechanics of testing a patch vary widely by organization. This testing
could be simply installing a patch and making sure the system reboots, or the test
procedure could involve the execution of a battery of detailed and elaborate test
scripts that validate continued system and application functionality. In the end,
a suitable approach toward detailed patch testing will be dictated by system criticality
and availability requirements, available resources, and patch severity.
The initial phases of production rollout can be considered an additional component
of the testing process. Rollouts are often done in tiers, with the initial tiers often
involving less critical systems. Based on the performance of these stages of the patch
deployment process, the entire environment will be updated, and the testing process
can be considered finished with the completion of final acceptance testing.
Change Management
Like any environmental changes, patch application plans submitted through change management
must have associated contingency and backout plans. What are the recovery plans if
something goes wrong during or as a result of the application of a patch or update?
Also, information on risk mitigation should be included in the change management solution.
For example, how are desktop patches going to be phased and scheduled to prevent mass
outages and support desk overload? Monitoring and acceptance plans should also be
included in the change management process. How will updates be certified as successful?
There should be specific milestones and acceptance criteria to guide the verification
of the patches' success and to allow for the closure of the update in the change management
system (e.g. no reported issues within a week of patch application).
Patch Installation and Deployment
The most important technical factor affecting patch deployment is likely the choice
of tools used. One key distinction between patch tools is a common system development
issue - to buy or to build? Historically, many organizations have created custom solutions
using scripting languages combined with available platform tools to distribute and
apply patches. As the industry has matured and the need for comprehensive and automated
updates has increased, many tools have become available to help manage the patch application
process. These tools are often classified as being either agent-based or agentless
systems, depending on whether they rely on software being installed on the target
systems that are to be patched. Additionally, many existing system management tools
have the capability to perform software and system updates. The correct choice of
patch management tools for any organization depends on a number of issues, including:
the number of platforms supported, the number of systems to be patched, existing expertise
and personnel involved, and the availability of existing system management tools.
While applying patches, and especially security updates, in a timely manner is critical,
these updates must be made in a controlled and predictable fashion. Without an organized
and controlled patch application process, system state will tend to drift rather quickly
from the norm and compliance with mandated patch and update levels will diminish.
In general, users and even administrators should not be permitted to apply patches
arbitrarily. While this should be addressed initially at a policy and procedure level
(e.g. with acceptable use policies, change management, and established maintenance
windows), it may also be appropriate to apply additional technical controls to limit
when and by whom patches can be applied. The type of controls enforced will vary by
organization and requirement, but include items such as restricted user rights (the
user does not have sufficient permissions to update the system) and network-based
access controls (the system cannot access the resources needed to perform an update,
for example Windows Update or RedHat Network). In smaller organizations, automated,
user-driven tools such as Windows Update may be acceptable. However, groups that use
these update methods will likely need to rely heavily on policy guidance and enforcement
along with regular assessment to ensure that organizational goals for patch and configuration
compliance are met.
Audit and Assessment
System discovery and auditing are also components of the audit and assessment process.
While asset and host management systems can help you administer and report on known
systems, there are likely a number of systems that have been either unknowingly or
intentionally excluded from inventory databases and management infrastructures. System
discovery tools can help uncover these systems and assist in bringing them under the
umbrella of formal system management and patch compliance. Organizations typically
use either their own discovery and assessment mechanisms or one of the various managed
vulnerability assessment tools. Regardless of the tools used, the goal is to discover
unknown systems within your environment and assess their compliance with organization
update and configuration guidelines.
Consistency and Compliance
System build tools and guidelines are the primary enforcement means of ensuring compliance
with patch requirements at installation time. As new patches are approved and deployed,
build images and scripts should be updated so that all newly built systems are appropriately
patched, and associated build documentation should be updated to reflect these changes.
In addition to updates to build tools and documentation, operational procedures must
exist to facilitate ongoing compliance of newly built systems. If an engineering team
typically builds servers (e.g. with the base operating system and applications) and
a separate operations team then assumes management of the system, a process must exist
to funnel operational changes back to the build and engineering stage of the system
lifecycle. These modifications are most ideally and suitably handled via an enterprise-wide
change management system. Any new patches and updates that are approved and installed
by operations should also be integrated by the engineering team into new builds, with
the change management system providing both an appropriate audit trail and suitable
procedural guidelines for this implementation.
Conclusion
|
||
PatchManagement.org website hosted by Shavlik Technologies, LLC |