Keeping Security Up-to-Date
Success Steps for Updating and Patching Your Systems
- Identify all software and firmware in your company. Remember operating systems, server applications, and desktop applications.
- Create a list of everything item that requires patching: Servers, PCs, IoT, and Mobile devices.
- Create a patch strategy for patching everything that included all hardware-based appliances including Firewalls, Routers, SANs, NASes, and IoT devices
- Establish a regularly scheduled routine every month to patch your systems.
- If you have multiple servers, you must identify any/all dependencies required on restart. Remember that you will restart all your systems in reverse order.
- Every update has instructions. Read them entirely so that you understand all the implications of deploying the particular set of patches. It is good to apply patches promptly, but unless there is an imminent threat, don’t rush to implement the updates/patches as they may cause issues. I recommend waiting 7-14 days after the release to deploy them.
- Test all patches before applying them to your production system. If you do not have a test environment, some companies provide patching and testing services.
- During the testing process, you can determine if the computers will require a manual reboot or if they will automatically do one. If a restart is necessary, be sure you plan for a maintenance window. Otherwise, you might experience unexpected system reboots that will interfere with business operations, or that will damage your databases, etc. 90 percent of all patch deployments will require restarts.
- After you have applied patches, utilize a smoke testing procedure to make sure all applications and services are back online and running correctly when servers and PCs restart.
- Change Management is essential but often overlooked.
- Notify your end-user community of your planned time frame for patch deployment, so they know what to expect. When patching workstations, remind the users just before patching to save all documents, close all applications, and log out of their workstation. Remind them NOT TO SHUT THE PC DOWN. Explain what they should do if they encounter a problem after the patch deployment.
- Have an excellent roll-back plan. A roll-back program allows you to quickly reverse the patches and go back to the pre-patched system if there is a significant problem with the deployment. Proper patching tools and procedures will allow for a roll-back of updates/patches.
- Have a proper backup of all your systems. Remember to take an image snapshot of your servers before deploying any patches. Verify if there any auto-scheduled maintenance jobs running. If you find any maintenance jobs scheduled, be sure to put them on hold, as they can interfere with updates, if left running.
- Use a patching service or automated tools whenever possible. Don’t use tools like Auto-Update, unless you can control when patches are applied.
- Review the patching report after deployment and look for patches that failed to install. Investigate the reason they were unable to deploy. Develop a remediation plan, and then redeploy them.
- Make sure you accommodate your exceptions. Sometimes you will have servers or applications that are incompatible with the updates and, if deployed, will interfere with a critical application that is in use. If you run into this problem, be sure you have an alternative strategy for securing those systems from the vulnerability that is currently exposed by the inability to patch the software.