Cyber Essentials explained – what is patch management?
Posted: May 6th 2015
- Use licenced software to ensure security patches for known vulnerabilities are available.
- Install software updates and security patches in a timely manner
- Have an automated managed patch management service
- Remove out-of-date software.
Patch management is one of the five key controls mandated by the UK Cyber Essentials scheme. It refers to the process of planning how and when software updates should be applied to systems. New vulnerabilities are identified all the time, so it is essential that the software used on computers and network devices is kept up to date and the latest security patches are installed.
Why is patch management important?
Building and maintaining software is complicated, expensive and time-consuming, so many organisations use off-the-shelf software, apps, plugins or CMS platforms on their websites. Although there are many advantages to doing so, all organisations are vulnerable to compromise when a vulnerability is identified. Automated attacks exploit common weaknesses wherever they find them, meaning that all users are at risk until an appropriate fix – or ‘patch’ – is provided by the software’s vendor and applied by its user. Installing patches and updates as soon as they are available helps protect computer systems and network devices from exploitation by hackers.
The Verizon 2015 Data Breach Investigations Report found that 99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability was disclosed. Moreover, 97% of exploits observed in 2014 were the result of just ten published vulnerabilities, indicating that poor patch management practices were a major cause of data breaches. If the affected organisations had applied patch management properly, they might have been able to mitigate the attacks.
How to apply effective patch management: