Get a glimpse inside the e-book "The complete patch management book" by Anne Stanton, president of Norwich Group, and Susan Bradley, Microsoft Small Business Server MVP. This series of book excerpts will help you navigate Chapter 1, "What is patch management?," courtesy of Ecora. Click for the complete book excerpt series.
What is patch management?
We define patch management as "the act, manner or practice of managing, handling, supervising and controlling the application of code to software in order to fix a bug, especially as a temporary correction between two releases."
Many in our industry consider that patch management means applying security fixes that are typically not temporary corrections. In fact, patch management and its processes include the entire area of introducing "new code" into an existing environment.
While this document focuses primarily on tools used for testing, supporting and evaluating Microsoft security patches, the basic concepts are the same for all software systems. IT managers and admins must logically control the introduction of new code into a network.
Computers drive world business. No longer can a financially healthy firm exist without technology. Further, maintaining, protecting and securing computer systems is, as recent legislative initiatives make clear, simply good business. A computer, like any mechanical device, requires regular maintenance. Applying patches to systems that connect to the Internet is simply and fundamentally mandatory. Period.
This document focuses only on the processes and procedures for patch management. We assume that you have taken steps to harden systems, apply firewalls and install antivirus protection. Patch management is only one of the steps needed to protect an environment, but it is an essential element nonetheless. We also assume that you understand the "business" reason for patching and that you have the proper buy in from management to add patch management to your security processes.
Some security vendors recommend installing the bare minimum of patches; however, that still means that you must rely upon consistent and appropriate processes and procedures.
History of patching
The CERT Guide to system and network security practices has small sections on software patches. The author, Julia Allen recommends applying patches on redundant or duplicate systems before applying them to main production machines. Any vendor service level agreement (SLA) should clearly state that firewalls should remain in place during installation of operating system patches. Allen further argues that those in charge of firewall operating systems and software need to review those devices as well for updates. Not too long ago, "best practices" meant not applying software patches in a piecemeal manner, but waiting for the cumulative security patch that, presumably, was more tested. Now, delay and deferral invite crisis.
Footnotes: "Threats and countermeasures: Security settings in Windows Server 2003 and Windows XP," (Redmond, WA: Microsoft, Inc., 2004); Allen, Julia H. The CERT "Guide to system and network security practices," New York: Pearson Education, 2001.
Click for the next excerpt in this series: Definition of Microsoft patches
Click for book details or get more information from Ecora.