Keeping Security Up-to-Date

Hi. Craig Peterson here with a blink into upgrades, updates, and patches.
 
Do you know which ones to pay attention to?
 
I’m sure you’ve heard about the Equifax breach. The records of 140 million Americans, along with some British and Canadian citizens were stolen.
 
How?
 
Upgrades, updates, and patches.
 
It’s hard to know which ones are important to you. Which will break your system, which will stop the hackers, and which you need to install right away?
 
Like many of us, Equifax was afraid to apply an upgrade to their internet-facing computer systems. How many of us have been worried that an upgrade or update might break your system?
 
According to HousingWire.com, their delay in installing the upgrade cost them more than $1.7b in all.
 
You’re not Equifax, but you may be just as vulnerable.
 
Make sure you turn on automatic updates on all your devices. Microsoft, Apple, and Android devices have automatic updates available for some of their devices. Of the three, Apple is the most consistent with security updates that just work.
 
Problems with Upgrades, Updates, and Patches for smartphones and computers are mostly a thing of the past.
 
And then there’s the Internet of Things. When did you last update the firmware in your router, wifi, or thermostat? They may be even more vulnerable than your computer.
 

Success Steps for Updating and Patching Your Systems

  1. Identify all software and firmware in your company. Remember operating systems, server applications, and desktop applications.
  2. Create a list of everything item that requires patching: Servers, PCs, IoT, and Mobile devices.
  3. Create a patch strategy for patching everything that included all hardware-based appliances including Firewalls, Routers, SANs, NASes, and IoT devices
  4. Establish a regularly scheduled routine every month to patch your systems. 
  5. If you have multiple servers, you must identify any/all dependencies required on restart. Remember that you will restart all your systems in reverse order.
  6. Every update has instructions. Read them entirely so that you understand all the implications of deploying the particular set of patches. It is good to apply patches promptly, but unless there is an imminent threat, don’t rush to implement the updates/patches as they may cause issues. I recommend waiting 7-14 days after the release to deploy them.
  7. Test all patches before applying them to your production system. If you do not have a test environment, some companies provide patching and testing services.
  8. During the testing process, you can determine if the computers will require a manual reboot or if they will automatically do one. If a restart is necessary, be sure you plan for a maintenance window. Otherwise, you might experience unexpected system reboots that will interfere with business operations, or that will damage your databases, etc. 90 percent of all patch deployments will require restarts.
  9. After you have applied patches, utilize a smoke testing procedure to make sure all applications and services are back online and running correctly when servers and PCs restart.
  10. Change Management is essential but often overlooked.
  11. Notify your end-user community of your planned time frame for patch deployment, so they know what to expect. When patching workstations, remind the users just before patching to save all documents, close all applications, and log out of their workstation. Remind them NOT TO SHUT THE PC DOWN. Explain what they should do if they encounter a problem after the patch deployment.
  12. Have an excellent roll-back plan. A roll-back program allows you to quickly reverse the patches and go back to the pre-patched system if there is a significant problem with the deployment. Proper patching tools and procedures will allow for a roll-back of updates/patches.
  13. Have a proper backup of all your systems. Remember to take an image snapshot of your servers before deploying any patches. Verify if there any auto-scheduled maintenance jobs running. If you find any maintenance jobs scheduled, be sure to put them on hold, as they can interfere with updates, if left running.
  14. Use a patching service or automated tools whenever possible. Don’t use tools like Auto-Update, unless you can control when patches are applied.
  15. Review the patching report after deployment and look for patches that failed to install. Investigate the reason they were unable to deploy. Develop a remediation plan, and then redeploy them.
  16. Make sure you accommodate your exceptions. Sometimes you will have servers or applications that are incompatible with the updates and, if deployed, will interfere with a critical application that is in use. If you run into this problem, be sure you have an alternative strategy for securing those systems from the vulnerability that is currently exposed by the inability to patch the software.