Best Practices for Patch and Vulnerability Management Programs
75% of the assessments that we do will generally have a finding regarding patching. So, what’s missing? What can we do to change that? In this webinar, Jeff Wilder discusses best practices for patch management programs, best practices for vulnerability management and identification programs, false assumptions about patching, risk ranking, and recommended tools.
Your vulnerability management and identification program should include monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, a risk ranking system for the identified vulnerability, and a watch for 0-day attacks.
Once you’ve identified a patch or vulnerability, you need to rank that risk. We recommend the Common Vulnerability Scoring System (CVSS). Vulnerabilities, once identified, are given a score between 1 and 10, 1 being “informational” and 10 being “needs to be address immediately.”
There can be many false assumptions when it comes to patching. Patch and vulnerability management programs are about addressing risk, not just patching a device. Traps that you could fall into are thinking that just because there is an available patch or update doesn’t mean that you have to install it, thinking that because a vendor says an update is medium risk doesn’t mean it’s critical or not critical to your organization, thinking that because Microsoft doesn’t tell you there is a vulnerability means you are immune from attack, and thinking that keeping your system patched will keep it free from all vulnerabilities.
Tools that we recommend:
- Microsoft Baseline Security Analyzer (MBSA)
- Missing update on Linux Devices
- Nipper by Titania
- Secunia PSI (Personal Software Inspector)
- NVD Database
Still have questions on vulnerability management programs? Contact us today and speak to an expert.