Monthly Magazine "November 2022"

What is " Patch management" Patch management is the process of identifying and deploying software updates, or "patches," to a variety of endpoints, including computers, mobile devices, and servers. A "patch" is a specific change or set of updates provided by software developers to fix known security vulnerabilities or technical issues. Patches can also include the addition of new features and functions to the application. Info Security Magazine reported that more than 18,000 Common Vulnerabilities and Exposures (CVEs) were published last year alone. That is an average of around 50 CVEs a day! It is virtually impossible for a small or medium-sized business with strained IT resources to keep up and protect the organizations. According to the Ponemon Institute , 57% of cyberattack victims stated that applying a patch would have prevented the attack. 34% say they knew about the vulnerability before the attack.

Different types of patches? Software patches fix existing vulnerabilities or bugs as they are found after a piece of software or hardware has been released.

There are several types of patches: Hotfix: A hotfix is a quick correction to address a bug or defect and typically bypasses the normal software development process. Hotfixes are typically applied to high- or severe priority bugs that require immediate correction, such as a bug that breaks the functionality or security of the software. Hotfixes can be applied while the software or system is still running (hot), without the need to restart or close the program. Security patches: A security patch is a change applied to an asset to correct the weakness described by a vulnerability. This corrective action will prevent successful exploitation and remove or mitigate a threat's capability to exploit a specific vulnerability in an asset. Patch management is a part of vulnerability management – the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Point release: A point release is a minor release of a software 1 NOVEMBER 2022 project, especially one intended to fix bugs or do small cleanups rather than add significant features. Often, there are too many bugs to be fixed in a single major or minor release, creating a need for a point release. Maintenance Release – Incremental update between service packs or software versions to fix multiple outstanding issues. Service pack: Major patches that comprise a collection of updates, fixes, or feature enhancements to a software program delivered in the form of a single installable package. These typically fix many outstanding issues and normally include all the patches, hotfixes, maintenance, and security patches released before the service pack. Most of us are familiar with Windows Service Packs, for example, Windows 10 Version 1903 Update service pack, which introduced privacy setting updates, more control over how Windows updates are applied, a sandbox for professional users, passwordless login, screen mirroring for Android phones, enhanced troubleshooting, and security features. Unofficial patches: These patches are created by a third-party or a user community, most often because of a lack of support from the original software developer (e.g. the software company went out of business) or when a software product has reached its defined end-of-life. Like an ordinary patch, these are designed to correct bugs or software flaws. But BGD e-GOV CIRT always recommend only installing patches from trusted sources and for businesses to avoid unofficial patches because sometime it was found that unofficial patches create security vulnerabilities.

Why do we need patch management? Security: Patch management fixes vulnerabilities on software and applications that are vulnerable to cyber-attacks, helping organization reduce its security risk. System uptime: Patch management ensures software and applications are kept up-to-date and run smoothly, supporting system uptime. Compliance: With the continued rise in cyber-attacks, organizations are often required by regulatory bodies to maintain a certain level of compliance. Patch management is a necessary piece of adhering to compliance standards. Feature improvements: Patch management can go beyond software bug fixes to also feature/functionality updates. include From an efficient patch management program organization can have a more secure environment which means regularly patching vulnerabilities helping to manage and reduce the risk that exists in the organization environment which helps protect the organization from potential security breaches.

Common Patch Management Challenge

1. Patches are typically released by software vendors to address known security vulnerabilities which makes high on the priority list for the information security team. However, patch testing and deployment often fall into the domain of the IT function. Many IT organizations may prioritize system operations, as opposed to security.

2. A common patch management challenge is the lack of understanding of what software companies’ endpoints actually have. Lack of IT asset inventory lead the patch management fail. With a detailed asset list, it’s possible to have a complete picture of the company’s IT infrastructure and what endpoints and applications are vulnerable. This makes it easier to prioritize assets and applications for faster patch deployment.

3. According to the Ivanty report (2021) , 71% of IT and security professionals find patching complex and time-consuming. It’s difficult to calculate how much time IT admins should spend on patching all the software to prevent the companies from breaches. An automated OS patch management tool can help you group the patches into categories, prioritizing the most important ones and minimizing those with the most negligible potential impacts.

4. The primary objective of patching is to fix vulnerabilities, bugs, eliminate and add new features to the operating system. However, without prior testing, 3 patching an operating system can make the software unstable or introduce unknown risks. To address this challenge and not "break everything," must test the updates first in a test environment and then deploy them.

5. Data security is under increasing scrutiny. The need to be compliant is becoming a requirement of new data security regulations. Regular patching is often included as a compliance requirement, and multiple operating systems make this requirement more difficult to meet. Compliance audits often fail due to a lack of both patching and process. It’s crucial that companies with multiple environments invest the resources to stay patched. Compliance is not a one-time event, but an ongoing security requirement.

6. On-going visibility and monitoring of vulnerable systems are a must. Even after considered the risk tradeoffs and tested and patched the latest critical vulnerability. Clear visibility allow team to track any problem that might arise and if that is a threat then proper resolving steps can be take. This is true for both patch and non-patch resources.

To read the full Magazine, please click here