Practically Perfect Patching

June 19, 2021

How do you ensure patches are deployed in a timely fashion to reduce the number of vulnerabilities in your network and software to protect your organisations from ongoing threats?

We see many frameworks recommending a set number of hours or days to implement patches or in some cases see clients request set periods to deploy all patches by a set number of hours or days with no consideration of the usefulness or practicality or even effectiveness of the proposed patch.

Key variables

Applicability

Some environments are developed so that a lot of the internal network is not exposed to the internet.  In this case the external ring of the network that is exposed to the internet is patched more aggressively than the internal environment.

Assessing your Unique Risk

Deploy patches using a risk-based approach.

As a business agree what an impact is and group them into bands.

Accessible Resources

Automatically update patches that do not require a reboot or service restart (this can be setup by your IT specialist).

Have the right skills sets in your team and agree how and when patches will be deployed based on your risk model.

Key considerations

Actual impact the business if the vulnerability is exploited
  • Consider the impact to your business if the vulnerability was exploited.  Would it take out your services?  Would it expose confidential data?  
  • What is the impact of the vulnerability the patch addresses in exploited?
  • If your business manages photos of cats in a database a patch marked by a global software company as Critical or Extreme would not be critical to you as your information is not of value.
Likelihood of a threats actor to successfully exploit the vulnerability the patch addresses
  • Consider the likelihood of the threat event occurring.  
  • What is the likelihood based on the structure of the environment and the resources required and the targets of the threats actors to successfully exploit the vulnerability the patch addresses.
  • Using industry scores can give you threat intelligence companies views of how brilliant the potential attack will be.
Patching Debt

Every time you delay a patch for business reasons it will be in the queue for later on.  Do you have the staff to do this, what will be the priority when they begin implanting these patches?

Other articles

Malware
Incident Response
Data Breaches
Security at Home
Education and Awareness
Assessing Security Controls
Security Controls
Industry
Standards and Frameworks
Governance, Risk and Compliance
Responsible AI
Secure your business.

"assurance"

confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”
Request a Demo

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.

Contact
Privacy
Website Terms
ASSUREDLY