“Patch all the things all of the time” is a saying often heard in the world of IT security. While it is true patching is a critical part of our cybersecurity, this saying is far too simplistic. Why?
Patching is not that simple. It requires downtime and planning as patches can cause critical business functions to stop working. Sometimes the assets we need to patch are either not known by the IT department or the responsibility of who needs to patch them has not been clearly defined. Often systems or devices are outdated and can no longer be patched at all.
During our security and compliance assessments, we often see things like a solid operating system patching program, but many patches missing from hypervisors, devices, applications, firmware, and so forth.
What do you need to consider to make sure you have an appropriate patching program?
- Do you have a complete asset inventory of all things that need patching?
- Is the patching responsibility for all assets clearly defined?
- Is there a patch plan for each type of system or device?
- Are there methods of testing patches prior to deployment?
- Do you have any compensating controls for outdated systems that can’t be patched?
By no means are we saying not to make patching a critical part of your security program. What we are saying is don’t just rely on automatic updates to keep your systems safe.