Six steps for security patch management best practices. Januarys SQL Slammer worm reminded us of the importance of patching vulnerabilities in computer software. Most successful computer attacks exploit well known vulnerabilities, for which patches exist. The problem is that hundreds of patches are released each month, many of which apply to OSes and applications residing in your organizations network. How do you know which patches to install, and which to ignoreAnd whats the proper order and process for installing them Patch management is a complex process, and I cant cover all the variables here. But I can distill the process into six general steps. The importance of each stage of the patch process and the amount of time and resources you should spend on it will depend on your organizations infrastructure, requirements and overall security posture. Procedures For Testing' title='Procedures For Testing' />Step 1 Develop an up to date inventory of all production systems, including OS types and versions, IP addresses, physical location, custodian and function. Commercial tools ranging from general network scanners to automated discovery products can expedite the process see Resources, below. You should inventory your network periodically. Step 2 Devise a plan for standardizing production systems to the same version of OS and application software. The smaller the number of versions you have running, the easier your job will be later. Agatha Christie Graphic Novels on this page. Step 3 Make a list of all the security controls you have in place routers, firewalls, IDSes, AV, etc. A patch test is a method used to determine whether a specific. The patch test is just induction of. Software Patch TestingDont forget to include system hardening or nonstandard configurations in your list of controls. This list will help you decide how to respond to a vulnerability alert if at all. For example, lets say you learn that Open. SSH has a vulnerability that may allow a buffer overflow attack, but from your list of controls you know you dont allow the Sec. SH protocol through your firewall. If nothing else, that knowledge gives you more time to react. Step 4 Compare reported vulnerabilities against your inventorycontrol list. There are two key components to this. First, you need a reliable system for collecting vulnerability alerts. Lessons_learned_template.png/650px-Lessons_learned_template.png' alt='Example Of Software Testing Procedures' title='Example Of Software Testing Procedures' />And second, you need to separate the vulnerabilities that affect your systems from those that dont. Some companies have staff dedicated to managing this process others use vulnerability reporting services. Step 5 Classify the risk. Assess the vulnerability and likelihood of an attack in your environment. Perhaps some of your servers are vulnerable, but none of them is mission critical. Perhaps your firewall already blocks the service exploited by the vulnerability. Software Testing Procedures' title='Software Testing Procedures' />In general, to classify and prioritize the risk, consider three factors the severity of the threat the likelihood of it impacting your environment, given its global distribution and your inventorycontrol list the level of vulnerability e. Step 6 Apply the patch OK, so now you have an updated inventory of systems, a list of controls, a system for collecting and analyzing vulnerability alerts and a risk classification system. Youve determined which patches you need to install. Now comes the hard part deploying them without disrupting uptime or production. Fear not, there are several tools that can help you with the actual patch process see Resources, below. Test Procedure is nothing but the testing process. Test procedures facilitate thorough software testing by allowing individual modules or arbitrary groups of. Chapter 2 21 There are a few terms that you need to be aware of as you read through this chapter. Table 2. 1 lists the key security terms used in relation to the patch. PATCH MANAGEMENT BEST PRACTICES. APPENDIX A PATCH TESTING. What is a patch Software refers to the instructions mechanical devices receive to process. Evaluate these tools in terms of how well they fit your environment and budget. In some cases, manual patch maintenance may be more cost effective. But in most cases particularly for multiple servers or server farms distributed across multiple locations some type of automated patch system will more than pay for itself. Vulnerability and patch management isnt easy. In fact, in todays computing environment, its a never ending cycle. But by following these general steps, youll be way ahead of the curve when the next worm comes knocking at your network door. About the author Fred Avolio is president and founder of Avolio Consulting, a Maryland based computer and network security consulting firm.