A client asked recently about best practices for how often we ought to patch. My immediate thought was “continuously.” However, most small to mid-sized enterprises don’t have the resources for that.
If you go to a source such as the Center for Internet Security (https://www.cisecurity.org), they talk about patching as a critical security control and say you need a formalized program of patch management to “regularly update all apps, software, and operating systems.” But they don’t say much about how or how often this should be done.
So, I hearkened back to the days when I was performing security audits for the Army. I probably did more than 500 of these on every type of system – from a small, rack-mounted tactical command & control server in the back of a Humvee to a 350,000-user wide area network in all 50 states. I started in the 1990s with the Department of Defense (DoD) Information Technology Security Certification & Accreditation Process (DITSCAP), and then moved to the DoD Information Assurance Certification and Accreditation Process (DIACAP), and finally the Risk Management Framework (RMF) that is in use today.
Typically, whenever we assessed those Army systems, if they had any missing patches or antivirus updates for more than a week, we would fail them. But when I researched this recently, I couldn’t find an Army or DoD reference to support this timeframe. You would think the DoD would have a best practice in place for that!
The Defense Information Systems Agency (DISA) publishes Security Technical Implementation Guides (STIGs) (https://iase.disa.mil/stigs/Pages/index.aspx), which are checklists for security hardening of information systems/software “that might otherwise be vulnerable to a malicious computer attacks.” These outline security best practices for a variety of technologies – e.g., Windows OS, networking devices, database, Web, etc.
The STIGs serve as the reference guides for all of DoD and represent what I would call “high assurance” best practices. In fact, we used to joke that if you followed all of the STIG guidance, you would “brick” your system! There is, of course, always a tradeoff between system security and usability.
There is also doctrine on security controls (including patching/updates) in various guides such as the NIST SP 800-53 Risk Management Framework (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) and the DoD Cybersecurity Discipline Implementation Plan (http://dodcio.defense.gov/Portals/0/Documents/Cyber/CyberDis-ImpPlan.pdf).
Upon examining all of these, I found that they actually provide varying advice on patching/update frequency – based on the criticality of the system, level of data being processed, or criticality/impact of the patches to be implemented.
The current objective for all patching in the DoD, according the Cybersecurity Discipline Implementation Plan, dated February 2016 is: “All DoD information systems have current patches within 21 days of IAVA patch release.” In addition: “Systems with high risk security weaknesses that are over 120 days overdue will be removed from the network.”
Note that an IAVA is an Information Management Vulnerability Alert, which generally starts at the US Computer Emergency Response Team (CERT) level, and then is promulgated down to US Cyber Command and the Cyber Commands of the military service branches. These represent the most critical vulnerabilities for which all US government systems must be patched. We can also use this as a best practice for anyone running a high-security commercial system.
To summarize DoD guidance on security patching and patch frequency:
- You must apply security patches in a timely manner (the timeframe varies depending on system criticality, level of data being processed, vulnerability criticality, etc.) in accordance with the Information Assurance Vulnerability Management (IAVM) process. https://www.stigviewer.com/stig/application_security_and_development/2017-01-09/finding/V-70281
- IAVM process: All systems must install all IAVAs and IAVBs (bulletins) immediately, and report back to the command within 21 days.
- Windows security patches must be installed “immediately” using automated patching methods: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36735
- Database patches must be applied quarterly in accordance with the patch release cycle: https://stigviewer.com/stig/oracle_database_11g_installation/2016-06-15/finding/V-5659
- Antivirus updates and scans must be run at least weekly: https://www.stigviewer.com/stig/mcafee_virusscan_8.8_managed_client/
In general, the following is my advice for patching frequency best practices:
- Run scheduled monthly vulnerability scans utilizing the AlienVault Unified Security Management (USM) built-in network vulnerability scanner to check for vulnerabilities and misconfigurations in your cloud, on-premises, and/or hybrid environment.
- Besides the scan reports, you should also research vulnerabilities for all Windows, desktop applications, and so forth on a monthly basis. The AlienVault Open Threat Exchange (OTX) Pulse feed is a good place for this. There is also the classic BugTraq (http://seclists.org/bugtraq) mailing list and the National Vulnerability Database feed (https://nvd.nist.gov/vuln/data-feeds#RSS).
- Download and regression test the patches on a staging system (to make sure they don’t break anything) before deploying to the enterprise.
- Critical vulnerabilities that have published exploit code should be given the highest severity weighting and be addressed immediately – not waiting for a patching cycle.
- Organizations with an automated patch distribution mechanism often establish a short timeframe (average is about 48 hours to one week) for the testing and distribution of critical patches.
- Finally, if this still sounds daunting (and it should), you may want to engage with a comprehensive Managed Security Services Provider (MSSP), such as Abacode (https://www.abacode.com) to handle all this for you. We know IT folks don’t have the bandwidth to deal with all of this, given all their other duties just to keep the network up and running. Also, it does require continuous research to stay on top of all the latest threats and vulnerabilities. So, it makes sense to engage with someone who has the expertise and can manage this for you.