Symantec's annual "Internet Security Threat Report" highlighted some major enterprise concerns, with one of the...

biggest being a lack of proper vulnerability patching. Specifically, the report stated that over the last three years, more than 75% of websites scanned by Symantec contained unpatched vulnerabilities. What should CISOs do to make security patch management a bigger priority for enterprises? Can CISOs work with IT administrators and website managers to tackle the problem, and if so, how?

Patching is a prevention measure that protects systems from unauthorized users, malware or errors that adversely affect normal processes. Products such as Microsoft Office, antivirus, network devices, Linux and Windows servers, midrange computing, and large mainframes all need security patching, program temporary fixes or updates. Updates are different from patches, but it's helpful to discuss them since some updates not only provide enhancements to products but may also eliminate errors and possible vulnerabilities. Security patching can be automated but many organizations choose to selectively patch due to limited time or system availability constraints. Selective security patching is typically done manually during scheduled system outages.

Some organizations are diligent about security patching on Patch Tuesdays, while others may still have patches to implement that are over three months old. Most organizations make every effort to maintain current patches within 30 days of patch notices. However, there are a significant number of companies that do not consider patching a priority until the vulnerability has been exploited and results in an outage or breach, or until it's required to attain a compliance with standards such as PCI DSS. Vulnerability scanners are helpful tools that can identify critical patches and provide enterprises with better patch management.

Security patching can and should be done by system administrators, but security teams may be in charge of monitoring critical security patches. Security teams may also request the testing and application of patches within the standard 30-day period. Where automatic patch updates are not used, patch implementation should be subject to the installation's change control procedures.

In addition to maintaining current patch levels, enterprise CISOs should take certain steps to strengthen the patching process, including:

  • Outline a vulnerabilities and patching policy that the enterprise uses to handle the identification of vulnerabilities, roles and responsibilities related to patching activities, sources for identifying vulnerabilities and the sources for identifying required patches;
  • Establish a patching committee of technical management and staff who are responsible for identifying vulnerabilities and ensuring that the requisite patches or mitigating actions are prioritized and applied;
  • Update the patch management software that automatically keep desktops, laptops and remote users up to date with the latest security patches and software updates;
  • Subscribe to an alerting service -- typically from vendors for software requiring patches -- that will supply information of new vulnerabilities and associated patches; and
  • If it is subject to PCI DSS compliance, make sure the enterprise meets PCI DSS requirement 6.2, which requires all system components and software to install applicable vendor-supplied security patches within one month of release.

Security patching can be tedious and seemingly unrewarding work, but when they're kept current, patches effectively -- and without fanfare -- prevent major vulnerabilities from being exploited. However, if security patching is neglected, eventually it will result in expensive interruptions that will require remediation resources after a breach or outage.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out this introduction to automated patch management software

Find out why software deployment tools and patching are critical to endpoint security

Discover the best combination of methods to make patch management easier

This was last published in November 2016

Dig Deeper on Business Management: Security Support and Executive Communications

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve



Find more PRO+ content and other member only offers, here.

Related Q&A from Mike O. Villegas

Is it possible to get a new CISO position after being fired?

CISO turnover is common after a security incident, but it's not the end of a career in security. Expert Mike O. Villegas discusses how to increase ...continue reading

What CISO certifications are the most important to have?

There are multitudes of cybersecurity certifications, but which are the best CISO certifications? Expert Mike O. Villegas discusses the most ...continue reading

Which are the best cybersecurity certifications for beginners?

There are an overwhelming number of cybersecurity certifications available, so which one should people just beginning their career start with? Expert...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

SearchSecurity: Security Wire Daily News

Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the...

See All Posts

You’ve heard the saying, “You don’t know what you have until it’s gone.” I think that wisdom applies nicely to the overall value that system administrators bring to their employers. Since July 29 is System Administrator Appreciation Day, today is the perfect day to reflect on these workers and their roles.

I’m confident that any and all security-related incidents would be impossible to prevent or work through without the guidance of a system administrator who knows his network like the back of his hand. Security may not be the specific focus of system administrators, but I can assure you it comprises a significant portion — arguably the majority — of their workloads on any given day.

Networks Don’t Run Themselves

I’ve witnessed the generalizations, stereotypes and assumptions about what system administrators do and don’t do while working on projects with my clients. From regular users to executive management, many system administrators get little to no attention until something goes awry. There’s often a notion that network systems, servers and applications simply run themselves; rarely is the work of the system administrator considered.

“System Administrators are a key component of a sound infrastructure in any IT environment, especially when it comes to security,” said Cody Rucks, a DevOps engineer in corporate operations at CareerBuilder. “Whether actively working to prevent threats, doing an analysis of trends, implementing policies or engaging with SaaS vendors to ensure they are not allowing a lapse in security policy, it is the system administrator that helps to protect the integrity of the environment by leveraging close collaboration with security teams.”

A Multitude of Responsibilities

Many of the day-to-day system administrator tasks that involve security include:

  • Reviewing network infrastructure, server and application logs;
  • Patching operating systems and third-party software;
  • Monitoring antivirus software;
  • Analyzing network bandwidth and throughput;
  • Ensuring data backups have run and are workable;
  • Responding to potential and confirmed network security threats; and
  • Dealing with visitors, guest network users and outside vendors.

System Administrators to the Rescue

My father worked as a printing pressman for his entire career. When I was growing up, I heard stories about printing presses having problems or failing altogether, which was especially problematic during high-volume operations and time-sensitive projects. When the going got rough, my father was able to come to the rescue of his printing company (and its customers) on many occasions. When the timing was right, he was able to prevent catastrophes altogether. The system administrator is no different.

“Systems administrators play a crucial role in the health and security of modern networks,” said Matthew Peters, director of IT operations and security at The Rainmaker Group. “They are the police, firefighters and EMTs all rolled up into one — waste management too! SysAdmins wear a multitude of hats and are required to answer difficult questions that nontechnical folks need answered. They are needed to be the subject-matter expert for anything that has electricity running through it and are typically required to be available 24/7.”

Whether or not you work in IT or security, be sure to recognize the value of the system administrator role. As with customer service and payroll managers, you may not appreciate what goes on behind the scenes, but you’ll certainly feel it when they’re not there to do their work.

Topics: Security Leadership, Security Professionals

Security Intelligence