How to audit a patch process

In light of the growing concerns surrounding regulatory compliance, it has become increasingly important to have a reliable IT patch process in place. After all, the majority of security issues can be resolved by properly patching network operating systems. Colin Buechler of Shavlik Technologies offers a step-by-step guide from implementation through to auditing.

Bugs, or glitches, in complex IT systems are common and can be business-critical, so organisations must be able to respond with effective interim software - a patch - until the problem can be addressed at its root cause. A patch can sometimes be called a 'fix', and is essentially a quick-repair job for a piece of programming.

According to internet security researchers CERT, 95 per cent of security breaches could be prevented by keeping systems up-to-date with appropriate patches, in other words, ‘known vulnerabilities or configuration errors where countermeasures were available.’ In addition to this, security standards, such as ISO 27001 and Control Objectives for Information and related Technology (CobiT), require a formal process for evaluating patches prior to implementation on a network to better ensure system stability and availability.

Considering all of the measures that could be taken to evaluate patches and deploy them across diverse networks it is easy to overlook the three simple steps that are at the heart of all information security concerns: assessment, remediation, and management. All three of these steps are essential to establishing a risk management process concerning patches and are essential to the audit process to ensure that an organization has taken proper measures toward managing risk.

Here are some handy tips to bear in mind for each element.

Top assessment process tips

  • create a road map with an end frame which envisions what the successful implementation of a patch programme will look like
  • determine which operating systems are present on the network and establish to what level each system has been patched
  • while missing patches should not be blindly applied to systems – some patches might be held back for a valid reason – it is essential to evaluate the risks associated with this. This will determine if the risk of not deploying the patch outweighs the risk of deploying the patch
  • although some organizations prefer early adopters of patches to flesh out any problems rather than risk instability in their own environment, safeguards should be put into place when 'zero day' vulnerabilities require immediate patching
  • remember that if weaknesses are found to exist during the assessment phase, there is a greater possibility that remediation and management of the patch process will also have failed to achieve corporate goals

Top remediation process tips

  • remember that remediation is guided by the assessment process
  • typically, the items which present the greatest risk to an organization are the items which are addressed first
  • if it is possible to safely and effectively patch a large number of systems quickly, do so. It may be beneficial to the overall risk management strategy of the organization, even if minimal risks are presented  
  • it may not be possible to address all of the high risk concerns at the same time, but a high risk/low risk approach may be completely plausible based upon the expertise and availability of IT personnel. This will rapidly reduce the overall risk to an organization’s information security
  • while preventing high risk vulnerabilities, it may be required to roll certain patches back if they prove to disrupt the business process. This can usually be avoided by properly testing patches prior to roll out
  • having a roll back process in place ensures that if a security update does cause problems with a key operational process it can be rapidly retracted and mitigating controls can be established to better protect that system
  • ensure that a procedural paper trail is left during each system configuration change and testing period as this is essential to the remediation process

Top management process tips

  • remember management is essential to the audit. Corporations could simply assess and perform remediation on a monthly or weekly basis and know that their systems are properly patched, but that does very little to reduce the overall risk associated with overall network patch procedures. By establishing a repeatable process with defined methods to assess and perform remediation, proper management and audit of the process can be ensured
  • it is often worth organizations undergoing an internal audit review prior to review by an external auditor so as to avoid negative results of a procedural audit
  • review each step defined by the process to ensure the procedures were adhered to and acceptable risks were maintained - there is no better indicator of the residual risk present in an organization than the audit process
  • to ensure that the patch management procedure works, it is essential to ensure that system configuration changes have been made and approved by the information security team as well
  • remember that, above all, it is essential to be able to produce this documentation during an audit of the process explaining both the reasons for exceptions and that the mitigating controls were approved by management

Only by building a repeatable and defined process for patch management is it possible to best manage corporate risk associated with system patching and build a fully auditable programme.

About the author

Colin Buechler is a senior security consultant at Shavlik Technologies, the market leader in the simplification of complex enterprise network configuration, compliance and security. For more information visit www.shavlik.com

Shavlik are exhibiting at Infosecurity Europe 2007 between 24–26 April 2007 in the Grand Hall, Kensington Olympia, London. For more information visit www.infosec.co.uk