Compliance is Never Enough Phil

Compliance is Never Enough: Hardening and System Patching

Best Practices for Patch and Vulnerability Management Programs

75% of the assessments that we do will generally have a finding regarding patching. So, what’s missing? What can we do to change that? In this webinar, Jeff Wilder discusses best practices for patch management programs, best practices for vulnerability management and identification programs, false assumptions about patching, risk ranking, and recommended tools.

Patch management should only be a part of your overall vulnerability program. Your program should also include AV, FIM, and Log Review, defined policies and procedures, the necessary tools to identify missing patches or vulnerabilities, and staff that is sufficiently trained to address identified issues. We also need to keep in mind that patching is not just about your workstation or servers. You need to ask yourself: When was the last time you updated your routers and firewalls? Have you also considered the applications you use? How do you intend on deploying your non-Microsoft patches? What about IoT devices? What about company-provided Android devices, Adobe products, etc.?

Your vulnerability management and identification program should include monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, a risk ranking system for the identified vulnerability, and a watch for 0-day attacks.

Once you’ve identified a patch or vulnerability, you need to rank that risk. We recommend the Common Vulnerability Scoring System (CVSS). Vulnerabilities, once identified, are given a score between 1 and 10, 1 being “informational” and 10 being “needs to be address immediately.”

There can be many false assumptions when it comes to patching. Patch and vulnerability management programs are about addressing risk, not just patching a device. Traps that you could fall into are thinking that just because there is an available patch or update doesn’t mean that you have to install it, thinking that because a vendor says an update is medium risk doesn’t mean it’s critical or not critical to your organization, thinking that because Microsoft doesn’t tell you there is a vulnerability means you are immune from attack, and thinking that keeping your system patched will keep it free from all vulnerabilities.

Tools that we recommend:

  • Secunia
  • org
  • Microsoft Baseline Security Analyzer (MBSA)
  • Missing update on Linux Devices
  • Nipper by Titania
  • Secunia PSI (Personal Software Inspector)
  • NVD Database
  • Reddit
  • IRC
  • HexChat

Still have questions on vulnerability management programs? Contact us today and speak to an expert.