The Challenge of Patch Management

Depending on where I travel and with which customers I talk, patch management is still the number 1 issue coming up. Not only is the challenge to deploy the updates – much worse, there is still an awareness issue in a lot of markets. People know that they should patch but too often do not do it – and if they do, well, there is no real process attached to it. Additionally, one of the issues I often raise publically is, that a lot of companies still focus on Microsoft products "only". I basically like it, when they keep "our" part of the infrastructure current but there is a lot more…

We all know that the base for any security in any infrastructure is to stay current – often not only on patches but on software versions as well. I guess we all agree on that. But it gets worse. What about firmware and BIOS? How will we be able to keep them current? What do we do with protocols that are flawed, which need a major migration?

The reason, why I come up with this is, that I read three articles this morning all going into this direction:

And there are a lot of similar challenges. How do we handle such updates? How do we even find them? We have seen a lot of these issues recently in hardware and even in goods, which have computers embedded – like cars.

This is still a very, very manual thing and I have currently no idea how to address such challenges besides having a good inventory, and understanding of the business processes to do a proper risk assessment and then a process handling the security updates. What would be needed from your point of view?

My real fear is that we will see the attacks moving down the stack more broadly. If you can control the routers in a target's environment, well this would definitely be an interesting thing.


No Comments