The criticality of OS patching in IT security management cannot be overstated, especially now when the increase in BYOD has seen more device operating systems connecting to company networks, increasing your attack surface. There's also a wide variety of operating systems out there - Microsoft continues to be dominant, but macOS and Linux distros have grown in market share, so most organizations run a mixed OS environment, which increases complexity and, with that, potential risk.
This blog will look at the basics of OS patching and how to do it effectively.
OS patching is the practice of applying software patches to the operating systems installed in your environment to ensure they remain safe, secure, and protected from external threats. The IT landscape is changing. BYOD, OS diversity, and even end users accessing corporate systems via public networks all present challenges for IT departments trying to keep track of increasingly complex infrastructure and dependencies. With increased complexity comes an increased risk of cyber threats that the service ecosystem could be exposed to, as well as keeping track of new OS patch releases from vendors and suppliers. With those challenges in mind, staying current with cross-platform patch management and building a robust approach to patching have never been more relevant.
Done well, OS patching can be the difference between a well-supported environment and one that is susceptible to unplanned downtime and performance issues. Here are some of the critical benefits of a robust approach to OS patching:
Compliance:Many organizations now have regulatory requirements or insurance directives mandating a regular patching regime. Non-compliance can lead to severe penalties.
Availability: The sad truth is that as an IT professional, you are only as good as your last issue. Keeping your systems' patches will prevent extended downtime due to security threats and remedial maintenance/emergency patch activity.
Performance: Devices can crash due to software defects, so keeping your services patched means they are updated with the latest bug fixes and are more secure.
Security: A common cause of network security breaches is missing patches in operating systems. Having a regular patch schedule means installing updates promptly, reducing the opportunity for data loss and damage to your infrastructure.
New features: Patches are not always about protection from malware or fixing bugs. Sometimes patches can include new features that can give users greater functionality.
Here are some of the most common patching challenges and how to handle them:
No appetite for maintenance windows
It is not always easy to justify regular downtime for maintenance, especially as many organizations are feeling the pinch in a post-pandemic economy. Remind the business of the longer downtime following a virus, cyber-attack, or ransomware incident. Work with your change management team to agree on a maintenance window acceptable to all parties.
Keeping track of OS patches from different vendors
Understanding what patches are outstanding is a crucial activity for technical teams to be able to prioritize support activity. Keeping patching records is more challenging when end users run on multiple systems and devices and work on potentially less secure networks. Have a plan for tracking patches by compiling status reports to keep on top of the patch status across your infrastructure.
An essential element of OS patching is testing patches to ensure they are compatible with your environment. Build dedicated test environments for each platform to ensure patches are thoroughly tested before they are released to your live environment.
Are you inspired to sort out your OS patching process once and for all? Here are some tips for getting started.
Enable automatic software downloads whenever possible to ensure critical updates are installed as quickly as possible.
Don’t forget about testing the patches before deploying them to end user systems.
Don't use unsupported or EOL (end-of-life software).
Do use secure vendor servers for patches and software updates.
Don’t install patches from unknown links or ad content.
Do communicate patch windows beforehand and agree to any potential downtime with the rest of the business.
Don't download software updates to devices while on untrusted networks.
Do prioritize systems for patching so you know which have the highest risk or are most sensitive to the organization.
Don't try and patch everything. Not all vulnerabilities will be exploitable in your environment, so check if the patch is needed first.
Do apply patches as soon as possible (once you have confirmed they are needed). Deploy operating system patches immediately when they are released since they can have severe and widespread effects.
Do build in some flexibility by using pull-based deployment mechanisms to enable the end user to schedule the patch at a convenient time.
Don't allow people to put off updates indefinitely. Have something in place so that after a pre-registered amount of time, pull reverts to push so your users and their systems are protected.
Do regularly scan and audit your environment to ensure any vulnerabilities can be flagged and acted upon.
Do create patching procedures for routine and emergency patches so that urgent patches can be deployed quickly to mitigate organizational risk.
Do understand each vendor's release schedule for patches and updates so that you can plan and schedule maintenance work accordingly.