Skip to main content

6 Common Patch Management Mistakes to Avoid

Patch management is like painting or gardening: At first glance, it may seem like routine and straightforward work. But in practice, it can prove much more challenging than it looks. Just as lack of prep work can spell disaster for a paint job, or forgetting to water and weed regularly can turn your garden into an eyesore, software patching mistakes may severely hamper your ability to carry out what should be the simple task of keeping apps up-to-date.

Keep reading for a look at the most common patch management oversights I’ve encountered in my career as an IT director, along with tips on how organizations can avoid them.

  1. Not having a patching strategy

Probably the most common software patching mistake is lacking a coherent patching strategy.

Lack of strategy doesn’t mean that patching doesn’t happen at all. It means that patching occurs in an ad hoc fashion, without clear guidelines in place about when, how and how often an organization will apply patches.

To avoid this mistake, develop a clear set of patching controls and policies that define how your team will approach patching. Your strategy should reflect your capabilities and limitations; for example, smaller IT departments may not be able to apply every patch as quickly as it appears, so their strategies should identify which types of apps or patches they will prioritize.

Even if your patching strategy doesn’t include all of the practices that it would if you had unlimited resources, simply developing a plan that all stakeholders – IT leaders, practitioners and business executives – can support and lays the foundation for effective patching.

  1. Not leveraging patch automation

There are many ways to automate software patching. You could use simple Remote Monitoring and Management (RMM) software to deploy patches to remote systems. You could rely on patching services built into the OS, like Windows Server Update Services, if they are available and cover the software you need to manage. Or you could adopt a tool purpose-built for patching, which is usually the best way to achieve the broadest coverage and the highest degree of automation.

But whichever type of patch automation tool you choose, your goal should be to ensure that you have at least some automations in place. Modern patch automation software is so reliable, and so inexpensive, that there’s simply no excuse for a primarily manual patching routine.

  1. Being too afraid of bad patches

There is always a risk that a patch could cause more problems than it solves. It’s important to balance that risk by testing patches beforehand to the extent possible, as well as being strategic about when you apply patches. You may not want to patch a mission-critical system in the middle of a workday, for example.

That said, it’s equally critical to avoid a patching posture where you are so worried about the risks of a buggy patch that you fail to apply patches within a reasonable timeframe. If you leave major problems unpatched for too long, you may suffer severe security or performance issues.

On this front, it’s important to take context into account by assessing how important a given patch is. Performing more thorough testing on a patch that addresses a lower-priority bug may be feasible, whereas a patch for a severe zero-day security vulnerability is typically one that you’d want to install as quickly as possible, even if it means performing minimal patch testing beforehand.

  1. Relying on users to install patches

A common patching mistake that I’ve seen among smaller organizations is effectively to outsource responsibility for patch management to end-users. For example, IT departments that lack the personnel to manage patches proactively may tell employees that it’s their responsibility to ensure they install patches whenever an app prompts them to do so.

The risks of this practice are obvious enough: Many users won’t actually install patches routinely, either because they don’t know how or they worry that patches will disrupt their workflows.

On top of that, there is the problem that installing patches often requires users to have admin rights – so if you push responsibility for patching onto your users, you need to grant them admin access to their machines. That in itself is a major risk because giving users admin permissions increases the risk that attackers who compromise their accounts will take full control of their systems.

A better approach is to automate patching using tools that can deploy patches on employees’ computers for them, without requiring the employees to have admin rights. That way, you can patch at scale even if you have limited IT resources, and you don’t have to accept the risk of users with admin accounts.

  1. Lack of patch monitoring and auditing

Successful installation of a patch doesn’t mean that IT personnel can move on and never think about the patch again. On the contrary, it’s critical to monitor and audit systems after installing patches so that you can detect any performance or security quirks that might emerge due to a patch.

Even if you carefully tested the patch beforehand, there is always the risk that the patch might have unintended consequences. Patch monitoring and auditing allows teams to get ahead of those issues before they send users flocking to the help desk or disrupt business operations.

  1. Ignoring patches from certain vendors

Some software vendors have extensive resources and release patches on a routine basis. Others are much smaller and may only produce patches irregularly.

For IT departments, it can be tempting to ignore the latter type of patches. After all, if your vendor doesn’t push out patches frequently, installing them may not seem very important.

The reality, though, is that it’s often extra important to install patches from vendors with limited resources because their patches tend to be especially critical. When a smaller company with a spotty history of patch releases introduces a new patch, you ought to pay attention and prioritize the patch.

You may also want to step back and evaluate whether to keep working with a vendor that doesn’t release patches often or regularly. But in the short term, make sure to close any vulnerabilities when new patches appear, no matter who the vendor is.

Conclusion: Patching as the foundation for modern security

The consequences of failing to patch effectively can be severe. Not only does ineffective patch management leave apps at risk of security and performance bugs, but it may also mean that your company won’t be covered by cybersecurity insurance in the event of an attack.

Avoid that risk by developing a patching strategy that allows you to patch efficiently and scalably by taking advantage of automation wherever possible to apply all available patches to all relevant endpoints within a timeframe that reflects the criticality of each patch.

The post 6 Common Patch Management Mistakes to Avoid appeared first on SD Times.



from SD Times https://ift.tt/6Tmy1fk

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20