日期 : 2018年9月24日
作者 : 网络安全精英嘉许计划2017金奖得奖者陈应强先生
Patch Management is nothing new for computer systems, but a challenge to execute effectively and efficiently. As more cyberattacks happen on endpoints, timely updates of security patches on computers are becoming even more crucial to protect systems. By my experience, there are several steps necessary for effective management of patches including vulnerabilities tracking, risk assessment, patch testing, and deployment approach.
First of all, you need to have a clear picture of what system platforms and software are in place in your environment. It will be helpful to tell which security patches are relevant to your environment. Have some means to track announcements of new vulnerabilities and security patches. You may opt to track it manually which can be very resources consuming or go for automated solutions.
The next is to perform risk assessment of the vulnerabilities if they are exploited. The assessment is to tell the severity of impacts upon cyberattacks on those vulnerabilities. Such impacts may be information loss, system service disruptions, stoppage of business operations, damage to company reputation, etc. The results of the assessment will form a good basis to tell how critical and how urgent it is to fix the vulnerability. It will also facilitate you to prioritise the patching jobs of various vulnerabilities.
Testing is important to assure the security patch does no harm to your systems before deployment to production systems. Proper testing and phased implementation are often the good practices for early detection of any problems introduced by the security patch. If the patches come with fallback options, test also the fallback to see if it can really work when you need to remove the installed patch. First phase of implementation on some non-critical systems for a period of time may allow problems, if any, to surface. It gives you a good chance to fix those problems before deployment to other systems.
If patches are not yet available when vulnerabilities are announced, it is necessary to assess the risks and associated impacts in case of cyberattacks on those vulnerabilities. Compensation controls may be required to reduce the likelihood of successful exploitation of the vulnerabilities. For example, restrict the remote access with 2-factor authentications if the vulnerability is about single-factor authentication in remote access.