7.8 Implement and support patch and vulnerability management
If we are following the proper procedures, then we have an accurate inventory of all of our hardware and software assets. Each time a patch is released for one of them, we can query the database to obtain a list of affected devices.
An administrator must be able to deploy patches across all devices automatically but must test the patches on a few sample devices first. We must also be able to keep track of the patches that have been deployed. We can then follow the procedure
- Evaluate the patch. Do we need this patch? Is it safe? Is there a risk that it could cause harm?
- Test the patch on a few sample devices to see if there are any adverse affects. If the patch is successful, we can proceed with applying the patch.
- Apply the patch to all of the affected devices.
- Verify that the patch is installed on each device. Keep track of any errors and correct them if possible.
- Roll back to the previous configuration if there was an issue with the patch.
The patch management procedure must always be conducted within the change management process.
Remember that there is a database of common vulnerabilities and exploits. When we run our scan or penetration test, we are looking for vulnerabilities in our system that match known vulnerabilities.
We need to keep track of each vulnerability detected
- What are all the vulnerabilities?
- How severe is each vulnerability?
- What does the vulnerability affect?
- What is the cost of patching each vulnerability?
- How long will it take to fix each vulnerability?
We can use this information to provide management with a snapshot of the total risk posed by the detected vulnerabilities. It also allows us to develop plans for correcting the most severe or cost-effective vulnerabilities. As the vulnerabilities are corrected, or as their severities change, we can update our information.