Software Patching and Host Protections

---

Patch management involves regularly monitoring, assessing, and updating and organization’s software.

• requires a centralized patch management system
• can be a manual process, an automated process, or both
  • e.g., admin develops custom scripts to help patch management systems more accurately identify missing patches
• patch management software needs to be configured based on risks associated with each system and its applications
• important considerations:
  • individual or team responsible for reviewing vendor-supplied newsletters and security patch bulletins
  • mechanisms to patch OS and all applications running on it
  • incorporate cloud resources
  • categorize updates into urgent, important, and noncritical
  • use a patch test environment to install and test urgent and critical patches
  • use detailed logging to support monitoring and troubleshooting of patch deployment
  • have a method to evaluate firmware updates prior to deployment
  • immediate push delivery of critical security patches
  • a routine schedule for the rollout of noncritical patches

Patch Testing

• Patch testing
  • aims to determine whether a software patch creates problems with the organization’s unique mix of hardware, software, and configuration settings
  • should primarily involve testing a patch on a single isolated system
  • should validate that issues addressed by the software patch work as expected
• vulnerability scans should verify that patches only resolve vulnerabilities and do not introduce new ones