« 2012年 クラウドサービス12のトレンド・・・だそうです。。。 | Main | Cyber Weapon (made in Japan) ? »

2012.01.07

9 Top Patch Management Practices for Businesses Security

 こんにちは、丸山満彦です。参考になりますね。。。

1. Automate your patching
2. In-depth reporting
3. Testing and rollback
4. Third party apps
5. Maintenance windows
6. Hardware
7. Quarterly audits
8. Require all new systems be fully patched
9. Vulnerability scans

 
The Hackers News
・2012.01.04 9 Top Patch Management Practices for Businesses Security

=====
1. Automate your patching
 If your patch management strategy depends upon manual effort, you're doing it wrong. Only the smallest businesses can handle patching by hand. You need a system that can deploy patches to all your systems; workstations and servers.

2. In-depth reporting
 Automating doesn't mean ignoring. You should be able to see the state of your patch management at any point in time and know exactly which systems are in need of attention.

3. Testing and rollback
 I lump these two together because they are two sides of the same coin. You need to test your patches; you may also need to roll them back. Good patch management includes both; testing things meticulously, and being able to roll back if the testing missed something.

4. Third party apps
 The operating systems vendors do a pretty good job of making patching a no-brainer operation. It's the third party apps that tend to bite a lot of customers when they aren't looking. Make certain your patch management covers the apps that didn't come with your operating system.

5. Maintenance windows
 I once worked an incident that ended up costing close to US $100K in down time, remediation, reporting and consumer credit monitoring. The server that was hacked was vulnerable because it was missing a patch. The patch was missing because the system owner wouldn't approve any downtime for patching –therefore no one ever got around to applying a critical patch for a known vulnerability. The hack happened almost a year to the day after the patch was made available. No system should be without a monthly maintenance window, and allowance must be made for emergency patches for zero-day issues.

6. Hardware
 Don't overlook your hardware. Whether it's your network routers and switches, your wireless access points, or firmware versions on your laptop BIOS, make sure your patch management efforts keep up with the updates for these critical parts of your infrastructure.

7. Quarterly audits
 Run quarterly audits of those reports, and inspect a random sampling of servers, workstations, and network gear to be sure your patch management solution is being applied appropriately.

8. Require all new systems be fully patched
 Any new system; server, workstation, or infrastructure, should be fully patched before it gets to production. New updates come out monthly and there is no excuse for a brand new system to be plugged in while vulnerable. Patch management is an ongoing process.

9. Vulnerability scans
 It may not sound like it's a part of patch management, but it will help you find new systems that need patching, and others that fall out of compliance. Run regular vulnerability scans against both your internal and external network to help identify new issues as they arise. Schedule them to run at least weekly, compare each new report to the last one, and investigate deltas immediately.
=====

 ここまで、リソース(金、人など)を使ってするか?という話ですが、いきなり全部しなくても、できるところから少しずつ改善していくことは重要だと思いますね。。。
 計画的に改善し、いったんシステムとして出来上がってしまうと、あとは運用の問題が中心となり楽になります。。。最初の一歩をためらわずにはじめることと、計画的に進めること、これが重要なんでしょうね。。。

|

« 2012年 クラウドサービス12のトレンド・・・だそうです。。。 | Main | Cyber Weapon (made in Japan) ? »

Comments

Post a comment



(Not displayed with comment.)




TrackBack

TrackBack URL for this entry:
http://app.cocolog-nifty.com/t/trackback/64462/53679183

Listed below are links to weblogs that reference 9 Top Patch Management Practices for Businesses Security:

« 2012年 クラウドサービス12のトレンド・・・だそうです。。。 | Main | Cyber Weapon (made in Japan) ? »