A few lesser-known tips for patch management towards reducing security vulnerabilities.

A few lesser-known tips for patch management towards reducing security vulnerabilities.

By Dr Christiaan Roos, Associate Director, Adept Advisory

Companies could be completely overwhelmed with patching vulnerabilities on their IT estate. Open vulnerabilities could easily run into the hundreds of thousands, in particular where organizations don’t have a good discipline of creating patch windows and scheduling server restarts. But there are a few best practices organizations can follow to improve and even simplify patch management practices.

 The first important tip is to minimize software on your business application servers to the bare minimum. Servers could be commissioned with, for example, the entire Microsoft Office suite by default. But you need to ask yourself, do you really need that software to operate the business application? Only install the software that is absolutely necessary to run the business application. Nothing more and nothing less. By reducing and uninstalling unnecessary software, you significantly reduce the software footprint on your production servers that needs to be patched. There are added benefits, such as less software licenses, less likelihood for open source or unlicensed software, less chance for software license disputes and penalties. Also, don’t forget to uninstall unnecessary software such as WinZip, which is embedded in the latest Windows Operating systems. Educate IT administration support staff to uninstall software used for once-off troubleshooting, such as Wireshark. This principle can also be followed for workstations in general but can be difficult to enforce if you haven’t removed local administration privileges and locked down USBs.

The second tip is to upgrade the software to the latest version, rather than patching the software. Don’t go with the cutting-edge release, wait for a stable release of the software and then upgrade. Follow a regular process of upgrading software. It is important to understand that older versions of software often contain software vulnerabilities. And as time goes by, the number of software vulnerabilities in a particular version of the software may increase, as well as the possible exploits available to compromise those vulnerabilities. It is therefore best practice to follow good software management practices and upgrade the software on a regular basis. Keep your versions of the software consistent across the IT assets. Different versions or releases of the same software will introduce different vulnerabilities into the estate.

The last tip is not to focus on Microsoft products and platforms only. Remember to also patch or upgrade your Linux and Apple Operating Systems and software.