News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Critical Controls
  4. Patching

Patching

The intent of this control is to ensure your organisation keeps all software within your environment up to date, and understands the risk associated with delaying or cancelling patches and updates.

What is patching?

Keeping your software up to date is one of the most simple and effective steps to take to ensure your environment stays secure.
A common tactic for attackers is to exploit known vulnerabilities in software that an organisation has not yet updated.
Software owners often release patches to reduce the impact of vulnerabilities or remove them. Applying these patches in a timely manner remains the number one critical control for organisations to keep their IT systems secure, and to protect themselves from being breached.

Modern IT environments are complex, with interconnected components and software. Attackers take advantage of the interconnectedness to join multiple vulnerabilities together to get into business systems. To combat this, patching becomes critical to reduce the number of issues and vulnerabilities that could be used against you. 

It’s important to include internet-of-things (IoT) devices as part of your patch management strategy. This includes any smart devices that have support for internet connectivity. These devices are part of your environment and network and can increase the attack surface for your organisation.

How to implement patching across your organisation

Each environment is unique and can be complex. There are several things to think about when attempting to implement consistent patching across an organisation. 

The sections below point out the different steps you should be taking when it comes to implementing patching.

Understand your environment

Understand what software and firmware you have in your environment, so that you know what needs to be patched. This allows you to know which patches are applicable to you and what the impact would be if a vulnerability is exploited. As a company grows, it gets harder to track what is within the environment.

Configuration management databases (CMDB)

For larger organisations, a CMDB can be helpful and used to give you a granular view of the components in your environment - from the hardware and devices all the way down to the software versions they are running. 

CMDB are often populated by hand – which means they are often out of date or simply have incorrect information. Having automated reporting to ensure that the CMDB is always up to date is very valuable. 

Having a central repository makes it easier for this data to feed into other processes, like patching or incident response.

Even without a CMDB, an organisation can still benefit from using tools that scan and collect data about the environment. Software discovery and inventory tools, such as software inventory in Windows System Centre Configuration Manager (SCCM), help you understand what software is running in your environment. 

Scanning and discovery tools

Vulnerability scanning tools, such as Nessus or OpenVAS, help you identify which vulnerabilities your environment is currently exposed to. It also provides patch references for those that have been resolved by the vendor.

Scanning and discovery tools can only help when a device or hardware is connected to your network, and reachable by the scanner. The software status of segmented networks, or devices that are regularly taken off the network such as laptops and other mobile devices, can be hard to capture.

If staff can use their own personal devices in your environment (bring-your-own-device), you may be able to discover these devices, but you will have little to no control over the software patches that are applied. 

Mobile device management (MDM) tools give you more control over these untrusted devices by enforcing security policies and patch levels. If you don’t use an MDM tool, have a clear agreement and policy with your staff around patching their devices. If staff don’t patch, be prepared to ring-fence these devices on a separate untrusted network until they are patched.

Legacy software

Hardware and devices may be in a position where they can’t be patched due to hardware limitations. For example:

  • a Samsung Galaxy S III that can’t support the latest versions of the Android operating system, or 
  • a legacy application that needs to run on a Windows 2003 server. 

The legacy software on these devices and hardware won’t be able to be patched and pose a bigger risk to the organisation.

Know when updates are released

Vendors typically send notifications out to their mailing lists when patches are released. Some vendors have clear patch release days - like Microsoft’s Patch Tuesday. Once you have an idea of the software you are running in your environment, make sure you have a clear and central way to receive patch notifications.

Send these notifications to a central location to review and filter. This will prevent urgent or important notifications from being lost in the inbox.