Patch Management: 5 Incorrect Assumptions

We’ve all read the news stories. We’ve seen the tales of companies who found themselves the victims of cyber crime, leaving irretrievable data, considerable fines, and reputations in tatters.

So we know we should never assume a network is 100% secure. Applications should be regularly updated to close the software vulnerabilities attackers could exploit.

But patch management itself is misunderstood. And the assumptions you’re making about what patch management does, how it works, and how much you need it are leaving your infrastructure at risk.

1. Patch deployment is the same as patch management

Your goal is to apply patches to applications across your network. So it’s natural to think that’s all there is to patch management.

But the truth is that patch management starts long before you deploy a patch.

A patch management solution gives you all the information you need, including:

  • Which third party applications you have
  • Which of those are vulnerable
  • How those application vulnerabilities could affect you
  • Whether patches are available to help

Then, a patch management tool can retrieve, check, and test the patches. And only then does it move onto deployment.

2. I only need to focus on common applications

There’s a perception that software vulnerabilities are widely reported and many of them are. But for every Heartbleed, there are ten application vulnerabilities you haven’t heard of. Many of them affecting applications you don’t even know you have.

The misconception that you only need to focus on common applications comes in part from the idea that vulnerabilities are widely reported, and in part from the need to streamline patching. But it’s not enough to patch Firefox and Adobe – any application can be vulnerable.

As a result, you can’t settle for anything less than 100% visibility.

3. Every application vulnerability is critical

When you read about IT security, it’s easy to feel like you’re constantly under attack. The horror stories of large-scale breaches can make you feel as if a single vulnerability would be the downfall of your organisation.

But not every vulnerability is critical. While the ideal environment wouldn’t have a single point of weakness, you need to know when patching can wait. And when it can’t.

When you understand the criticality of each vulnerability, you can prioritise more effectively. You can see the difference between an extremely critical vulnerability that affects a machine that’s not connected to the internet, and a low criticality vulnerability that affects everything on your network.

Then, using that balanced view, you can take the most appropriate action.

4. I can rely on my patch catalogue

A patch catalogue is a useful source for finding security updates. But they are far from comprehensive.

Most patch catalogues are designed to show you when patches are available. However, it’s just as important – perhaps even more important – to know when applications are vulnerable but no patch has been released.

This assumption is based on truth. After all, you can probably rely on your patch catalogue to tell you when there’s a patch.

But is that really the information that matters most?

5. I don’t have the resources for 3rd party application patching

When you consider everything it takes to find third party applications, check for known vulnerabilities, prioritise patching, and configure deployments, it can seem overwhelming. Who has the time and resources to do all that?

With the right patch management, you don’t need to.

So you can secure your applications and reduce your exposure. Without increasing your workload.

Written by