.

Patch Management

<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Jan 14, 2010 12:29 pm

Patch Management

Hello All,

If you guys don't mind, I was wondering if people could share there advice and their experience on patch management.  How often they patch their systems, every day, week, quarter, etc?  What tools they use and their experiences with those tools?  Whether they concentrate on critical patches instead installing all patches?

Thanks in advance.
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

kennut

User avatar

Newbie
Newbie

Posts: 46

Joined: Thu Apr 16, 2009 10:41 pm

Post Fri Jan 15, 2010 4:28 am

Re: Patch Management

hello,

normally we suggest them to test the patches first before applying them. It would be good if they are tested in a test server (if they have spare servers).

In addition, critical patches should be checked with the vendor first (assuming you have some applications running above the O/S, therefore, it's good to ask them before applying, otherwise, you may have problems like blue screen or some services not running etc. (Bear in mind, all IT Dept will not do the patch because they'll say, if it's not broken, why fix it, (meaning, they're scared if things goes down, so give them OT to work on the recovery.....), however, the should get the approval or rationale for patching/not patching the updates etc.

Also document the patches before/after, so you got a trail on that. and of course all patches should be approved by the management.

Thanks.
Done all 3 certs, now going for CISSP.....
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Fri Jan 15, 2010 6:53 am

Re: Patch Management

A certain company I may or may not be familiar with, has used various patch management tools, from rolling our own, Bladelogic, Patchlink, and SMS for OS and common applications  Before any system is deployed, there is a risk assessment done on it, part of which involves a miniumum level of patching.

We patch the week following M$ Patch Tuesday.  I believe other applications are caught in our defense in depth strategy of vulnerability scanning.  If there is a known high or medium level vulnerability with an associated patch, then it is applied.  (Unless it is a business critical application and nobody wants to take the blame for something going wrong)

It helps that there are corporate policies in place which outline that patch management must be performed on a regular basis, it's up to the individual areas to figure it out for themselves.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Thu Jan 21, 2010 10:43 am

Re: Patch Management

In my opinion this really depends on the environment you are working in, the type of business you conduct and the methods used.
If you can share some more information, perhaps in a generic way, you can get some more targeted responses.

Ultimately its going to come down to the risk appetite of the business, how the organisation is structured, segmentation of the infrastructure, testing capabilities and budget.

Patch management is still something that so many organisations fail to do well, but at the same time it can be very simple.

Look forward to hearing more from you.
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Fri Jan 22, 2010 8:47 am

Re: Patch Management

Thank you everyone for the replies.  I agree that patch management depends on the policies of the organization. I thought it was a good question to ask the community since it is such an important procedure for an organization with a security conscience. I know companies have different ways and applications of accomplishing it.  I have seen SMS, shavlik, WSUS, Altiris, BigFix, etc. I was wondering if anyone was partial to one of them and why? 

Also, I have seen people argue how often it should be done due to the testing required to install patches. Personally, I think once testing is done, you can install all tested patches.  You never know if a low priority patch can be used for a higher vulnerability. 

That is why I just wanted to see how other security minded people handled the task. Also, I think VMware is perfect for patch management because of snapshot.  It is faster than using Ghost or Clonezilla.

Again, I want to say thanks for the comments.
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Jan 26, 2010 9:19 am

Re: Patch Management

Personally I think WSUS is a good solution if your a Windows shop, however what ever works for the organisation is a good way to proceed.
I agree a VM environment can provide an excellent platform for multiple testing, rollbacks, etc a breeze, however I have seen on the odd occasion hardware issues with patching, so there is sometimes value in hardware based testing, especially if you have adopted standard hardware and this isnt a huge amount of devices.

Security Patching is important, however many organisations still do not treat it with the attention it deserves. Keeps us in a job though :)

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software