Patch management ensures that systems and applications stay up to date with current patches. If you’re planning to take the Security+ exam, you should have a good understanding of patch management procedures to protect systems against known vulnerabilities.
For example, can you answer this question?
Q. A software vendor recently developed a patch for one of its applications. Before releasing the patch to customers, the vendor needs to test it in different environments. Which of the following solutions provides the BEST method to test the patch in different environments?
A. Baseline image
B. BYOD
C. Virtualized sandbox
D. Change management
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Scheduling Patch Management
Microsoft releases most of its patches on the second Tuesday of the month (known as Patch Tuesday). IT departments can plan on this release so that they can immediately begin evaluating the patches, testing relevant patches, and deploying them. Organizations with certain partnerships with Microsoft often receive advance notice of these patches. This allows them to plan for them before Patch Tuesday. Microsoft will sometimes release an out-of-band (OOB) patch that is released right away, but it only does this for critical vulnerabilities.
Other operating systems, such as Unix and Linux, don’t currently release patches on a schedule, but they still release patches. Administrators can sign up for notifications about patches and plan their timeline based on these notifications.
Immediately after Microsoft releases patches on Patch Tuesday, many attackers go to work. They read as much as they can about the patches, download them, and analyze them. They often attempt to reverse engineer the patches to determine exactly what the patch is fixing.
Next, the attackers write their own code to exploit the vulnerability on unpatched systems. They often have exploits attacking systems the very next day—Exploit Wednesday. Because many organizations take more than a single day to test the patch before applying it, this gives the attackers time to attack unpatched systems. For organizations without a patch management program, it gives attackers much longer to attack unpatched systems.
Additionally, some attackers discover unknown exploits before Patch Tuesday. They recognize that Microsoft will be releasing patches on the second Tuesday of the month, so they wait until the second Wednesday before launching major attacks to exploit the vulnerability. Unless Microsoft releases an out-of-band patch, this gives them a full month to exploit systems before a patch is available.
Testing Patches
Patches can fix one problem but create others, such as an endless rebooting loop. Consider the worst-case scenario. In some unfortunate situations, systems shut down and never work again. If this happens to your home computer, it is inconvenient. However, if one thousand computers within an organization stop working one day, it can be catastrophic.
Organizations avoid this problem by testing patches before deploying them. The goal of testing is to ensure that a patch does not introduce new problems. For testing to be realistic, you need to install the patch on systems that mirror the production environment. In other words, if all the users have new computers, it won’t do any good to test a patch on an older system.
Regression testing is a specific type of testing used to detect any new errors (or regressions). In regression testing, administrators run a series of known tests on a system and compare the results with previously run tests.
Deploying and Verifying Patches
After testing the patches, administrators deploy them. They don’t deploy the patches manually though. Instead, they use systems management tools to deploy the patches in a controlled manner. For example, Microsoft ConfigMgr is a systems management tool used for many purposes, including patch management.
In addition to deploying patches, systems management tools also include a verification component that verifies patch deployment. They periodically query the systems and retrieve a list of installed patches and updates. They then compare the retrieved list with the list of deployed patches and updates, providing reports for any discrepancies. In some networks, administrators combine this with network access control (NAC) technologies and isolate unpatched systems in quarantined networks until they are patched.
Q. A software vendor recently developed a patch for one of its applications. Before releasing the patch to customers, the vendor needs to test it in different environments. Which of the following solutions provides the BEST method to test the patch in different environments?
A. Baseline image
B. BYOD
C. Virtualized sandbox
D. Change management
Answer is C. A virtualized sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state.
A baseline image is a starting point of a single environment.
Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network, and is not related to this question.
Change management practices ensure changes are not applied until they are approved and documented.