• United States




Patch management – not for the faint of heart

Oct 09, 20175 mins
Data and Information SecurityData BreachPatch Management Software

If you're a U.S. consumer, you're likely pretty peeved at Equifax right now. By all accounts, a missed patch led to the exfiltration of highly personal data on more than 145 million consumers. If patch management were easy, Equifax would likely still have our data. The simple fact is, however, patch management is hard, a problem we must all face. While there are no easy solutions, there are steps you can take to make the process more achievable.

03 patch
Credit: Thinkstock

By now, most in the US are aware of the massive data breach at Equifax, with data on an estimated 145 million consumers being disclosed. Initial reports link the breach to a missed patch on a key web software component, which has been available for some time, but not applied by Equifax.

 My consumer side is mad at Equifax. They have been entrusted with my most personal data, and due to their careless patching, I and many other consumers will be looking over our shoulders for years to come. On the other hand, my professional side is inclined to be considerably more understanding. After all, a good patching strategy is very difficult to implement. Even if a leading edge organization finds a way to stay current, they still have trouble keeping up with the zero day vulnerabilities and those that are, as yet, undisclosed. 

Most organizations understand the importance of patching their systems. At the risk of over-simplifying the problem, their reluctance to do so is explained by a simple equation:

patching = downtime = lost revenue

Since many companies have web applications used by consumers at all hours, they never want those applications to be unavailable. Therefore, they are reluctant to schedule downtime for patching. 

The problem is even greater in true 24/7 industries such as healthcare, where patient care at 3am is just as important as it is at 10am. There just is no good time to that systems down to patch them. 

Another challenge lies in the fact that In a typical larger organization, patch management often involves a variety of departments. One group, often Information Security, is pressing other groups to patch their servers aggressively. Those groups often push back, because they don’t want downtime, or have other priorities. Getting the job done in these cases usually involves negotiation and diplomacy, disciplines that we technical folks often find difficult to apply. 

It is clear that patch management involves a number of challenges, but none of us want to be the next Equifax. As such, we must find a way to tackle the problems and secure our systems. The following are some suggestions for achieving a workable patch management program: 

It’s all about risk management

I am a bit of an idealist, so I would love to apply every patch available to all of my systems. Most patches, however, have some impact on the organization. The secret is to balance the need for patching with the need to keep the organization running. Patches for high-risk vulnerabilities on public-facing systems need to be patched quickly, because the cost to the organization of not patching, in these cases, can be more than the cost of the inconvenience. Other vulnerabilities may be less exploitable, only applying to internal systems. These can often be safely delayed. The organization’s risk in not patching must be carefully balanced against the cost of doing so. 

You can’t patch it if you don’t know it exists

It may seem obvious, but you can only patch systems that you know about. Many organizations have hidden systems, which often reside in a closet or dark room somewhere, and are quickly forgotten after installation. An accurate, living inventory of systems is required to have any degree of success with a patch management program. 

It’s not just about PCs and servers

Some of the most vulnerable devices in an organization are not traditional PCs or servers – they are network and Internet of Things (IoT) devices. They too require patching, and most not be forgotten or ignored.  Finally, don’t focus on the OS and ignore software from other vendors, like Adobe, Apache, and many others. 

Patch and vulnerability management go hand-in-hand

A vulnerability management program involves taking  a different view of the patching problem,  by attempting to identify vulnerabilities which require  patching. Using vulnerability scanning systems, such as Qualys, organizations can monitor their systems for actual vulnerabilities, rather than just arbitrarily applying patches. This approach also allows for confirmation that patching did resolve the vulnerabilities for which the patch was intended. 

It you can’t patch, apply mitigating controls

There are legitimate circumstances under which patches just cannot be applied. An example is medical devices, for which each patch must be carefully evaluated and coordinated with the device manufacturer to avoid impact to patient care. This is still an issue for users of many such devices that have yet to have their manufacturers release patches for the WannaCry ransomware worm. In such instances, it is necessary to apply some sort of mitigating controls, such as disabling external network access, or turning off some functionality. 

Be your organization’s United Nations

As I noted above, establishing and maintaining a good patch management strategy takes diplomacy. You will need to give some ground to get some. Look for allies in other teams, and state in clear terms why patching is required, without drama or hyperbole. Strong support from organizational leadership is of great value in getting a patching program implemented. 

Bottom line – patch management is hard. Given technological constraints, this fact is unlikely to change soon. We need to do the best we can to stay current with patching, because the consequences of failure are serious. If you are not convinced, ask a former Equifax executive.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author