With all of the talk about network security lately, and us constantly reminding everyone of the need to employ basic security measures like patch management, firewalls, anti-virus software and end-user education, we thought it might be smart to take a step back and focus on one basic question that is prompted by that laundry list: what is patch management?
If you know, then you know and we are really, really glad to hear it. But if you don’t know and we keep throwing around the term like clearly you are supposed to know, well, that’s just kind of annoying (for you!).
And so in an effort to remedy that, this blog is devoted to answering “what is patch management?” and also explaining the reasons why it’s such an important practice when it comes to your business’ network security.
What is Patch Management?
Let’s start with explaining what a patch is. A patch is a piece of code that can be applied to a software program after it has been installed. Patches are created in order to correct issues with that program that are discovered after it has been released. You can think of it like a bandage or a fix for the program or system.
So it follows that patch management is the systematic and documented management of patches. But we want to be thorough, so let’s also clearly define the practice.
First, the technical/official definition of patch management.
Patch management is an area of systems management that involves acquiring, testing and installing multiple patches (code changes) to an administered computer system. Specific patch management tasks include maintaining knowledge of available patches that relate to the systems being managed and then deciding which are appropriate and taking the steps to install, test and fully deploy them.
Now, the human (non-IT pro) definition.
Patch management means that someone is doing just that – managing these patches.
Because a patch is a piece of code, it has to be installed. Which means that someone also has to know that they exist, decide if they are necessary, and then take steps to avoid problems that can occur while deploying a patch. In the best cases, there is a whole process around an organization’s patch management where the patches are assessed, installed, tested and documented.
A common example of a patch are Windows updates. If you use Windows, you are probably familiar with those messages from your operating system (OS) prompting you to accept them, or with Windows 10, that your machine will need to be restarted due to updates.
Well if you never really thought about what those are, many times they are patches that are created to fix security issues. Check out the Windows 10 update history to see what we mean – some are updates to improve the overall user experience, but here are 3 examples from just their March 8 release:
- Fixed security issue created when attempting to play corrupted content.
- Fixed security issue that could allow remote code execution while viewing a PDF in Microsoft Edge.
- Fixed additional security issues with Microsoft Edge, Internet Explorer 11, USB storage driver, kernel mode drivers, .NET Framework, graphic fonts, OLE, secondary logon, PDF library, and Adobe Flash Player.
Another example of a patch are the updates that get pushed to iPhones (and iPads and iPods) on a regular basis. As with Windows, the update is usually going to include tweaks to the overall functionality for an improved user experience, but also a patch that addresses any security vulnerabilities that Apple has discovered in the current OS.
Why is Patch Management Necessary?
Now that we know what is patch management, let’s talk about why it exists.
The reason for that is actually pretty simple. As soon as software or an operating system get released, there are hackers out there looking for holes and vulnerabilities that will let them in.
Sometimes patches get released because unfortunately the hackers were successful in identifying and then exploiting the weakness and so the vendor goes back and patches it up to shut them down. In order cases, the vendors themselves find the glitches first and then issue the patch that is needed to correct it. Or possibly it's just to strengthen overall security, because they found a better way to do that.
The reality with all of this is that no software or OS is bullet-proof – even Apple (long thought to be immune from cyberattacks) got hit with its first-ever ransomware attack in March. The KeRanger ransomware was the first targeted at Apple, but it is doubtful it will be the last.
The other point here is that not all patches are necessary. There are patches that get issued for obscure updates that have no impact at all on your system. But it takes someone with expertise to decipher them and then correctly deploy only what is necessary for your network security.
What is the Goal of Patch Management as a Practice?
Patch management exists in order to protect business networks and systems from these ever-present cyberthreats. In specific terms, it's a best practice towards protecting your data and avoiding hacks that can be very costly for any business.
Patch management isn’t something that can be ignored. Cybersecurity threats are increasing every day and becoming more and more sophisticated.
Because here’s the thing – these patches only work if they get applied. Sounds pretty obvious right?
That would be great. However, the reality is that it isn’t, particularly for any business that is already stretched thin with resources and doesn’t necessarily have an IT expert supporting them. It’s pretty easily overlooked or possibly even intentionally ignored.
It’s too easy to think “oh I don’t need to worry about that”…until, of course, you do.
If you think that sounds far-fetched, consider that the latest high profile ransomware attack could reportedly have been avoided had the hospital issued a patch that was issued back in 2007. Despite numerous warnings over the last 8 years about a flaw that had been discovered in one of the programs in use by MedStar Health, an anonymous source is saying the patch was never deployed. Not only did this cause serious – and probably costly – disruptions in service to the hospital system, it could impact them in civil cases should it be discovered that any protected patient information was stolen.
There is likely more to this developing story, but the news about this patch -- and how ignoring it potentially opened the door to a major ransomware attack -- underscores exactly why every business needs to understand “what is patch management?” and then address it.
So instead of allowing these patches to get ignored or spinning your wheels trying to decipher every single patch available and determine if it’s critical, best practice for any business is to work with your IT support team on a documented patch management process.
Most managed IT service providers will provide patch management as part of an IT service plan...just like we do. You can check out our plans here!