Why and When? Upgrades, Updates and Patches

Hi. Craig Peterson here with a blink into understanding Upgrades, Updates, and Patches. When/How/Why’s

When vendors become aware of vulnerabilities in their products, they often issue patches to fix those vulnerabilities. Patches tend to be small changes to their software to fix one specific problem, often the problem is a zero-day cybersecurity vulnerability.

Sometimes the problem is too big to issue a quick patch. This is where Updates come in. Usually updates involve fundamental changes in the way the software works, and this is often because of a design flaw in the software.

Upgrades typically are related to new functionality, and although they may have some security improvements, they are not issued just to fix a cybersecurity vulnerability.

Every piece of software needs updates or patches from time-to-time to fix vulnerabilities. Some software, such as Microsoft’s Windows Operating System, can automatically install its own patches. But these updates only apply to the Operating System itself.

Software such as Adobe Reader, Java, and Flash do NOT get updates when Windows updates. In fact, to stay safe, you might want to remove all three pieces of these security-challenged software from all of your computers.

Steps to take:

Enable automatic software updates on all your software.
Do not use unsupported End-of-Life software.
Always visit vendor sites directly rather than clicking on advertisements or email links.
Avoid software updates while using untrusted networks.

Successful Updates and Patches

1. Awareness

Be aware of what is out there.
Subscribe to mailing lists that keep track of vulnerabilities, even when patches aren’t released yet.

2. Remember those applications

Applications are the new target for exploits, primarily when they rely on open or execute file types.
Windows Update takes care of your operating system and Microsoft applications. Still, almost every computer on your network will have third-party applications, including PDF readers, media players, and other business operation applications.
Stay on top of patches for all the apps that are integral to your business operation.

3. Test before you deploy

All vendors test their patches/updates they release them. It is impossible for a vendor can check for every possible combination of hardware, application, and drivers, and they definitely cannot test the proprietary applications that you have internally developed.
You must have a set of machines that you deploy patches first to check to make sure you are not introducing any problems to your systems.
Take advantage of virtualization technologies when you can

4. Schedule all Your Maintenance Windows

Remember that patching requires time, bandwidth, and reboots. Each of these can interrupt normal business processes.
Most companies run their business 24×7. So you need to have some established maintenance windows for routine patching. Then you must create a means to push emergency patches if there is a zero-day exploit.
Using a scheduled maintenance window, allows business operations to plan for at least be prepared for any potential disruptions when critical systems reboot after patching.

5. Use a patch management system

Manual patching is time and labor-intensive, error-prone, and impossible to report accurately.
There are several excellent low-cost patching systems available on the market. These systems push patches, audit systems, and generate necessary reports used by management for regulatory compliance assessments.

6. Be sure to have a roll-back plan

No amount of preparation or testing can prevent the occasional issue that requires you to roll-back a patch.
Push patches only when everyone is aware so that if problems crop up after deployment, you plan to check those patches and to uninstall them if necessary.