• United States




Do you patch your systems? How do you know?

Oct 09, 20173 mins
Data and Information SecurityPatch Management SoftwareSecurity

Can you answer this question: how do you know the laptop that shows up today in Tokyo is the same one that was in New York last week? Make sure you have a complete inventory of hardware and software so you can be confident your patching is thorough. If you're not sure you have a clear accounting, opportunities for security breaches exist.

data science certification man at computer
Credit: Thinkstock

The Center for Internet Security (CIS) Critical Security Controls makes a good effort to prioritize IT Security controls. This prioritized list of controls provides an implementation pathway that closes the biggest security gaps first. There are 20 controls in total, and CIS calls out the “First Five” as being the most fundamental controls for an IT Security Program. They are:

  1. Inventory of Authorized and Unauthorized Hardware
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configuration for Hardware and Software
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges

Security specialists are sometimes surprised at the first two items in the list. Why are inventories of hardware and software the most fundamental items for IT Security? To answer that, I’d like to tell a story.

A few years ago, I was the Chief Security Officer at a small financial services provider (a fintech company). This company had grown due to recent acquisitions and had become an increasingly significant industry provider of bank payment services.  Because of this growth, the company attracted the attention of financial regulators who were increasingly interested in their IT security operations. 

One of the items of interest to the regulators was patch management. I spent a few weeks with the regulators discussing all aspects of the company’s IT security, including patching. One of the interviews started with, “Let’s talk about patch management.  Are you patching your servers and workstations?” I had spent several months making sure our systems were patched and up to date, so I answered confidently that yes, we regularly patch our systems. His second question was far more difficult to answer.  He asked, “How do you know?”

Implied in his question were several other questions: “How do you know that you are patching ALL the systems?”; “How do you know that you are applying patches for ALL the software on those systems?”; “How do you know that the laptop that shows up today in Tokyo is the same one that was in New York last week?” 

Of course, answering these questions requires more work. The answers are possible because of those first two CIS controls. For example, “I know I’m patching all my servers because I have an inventory of them.” Or, “I know I’m patching all the workstations and laptops because I know what is authorized and not authorized on my network, and I can identify a laptop uniquely, regardless of where it is on the network.”  Also, “I know that I’m patching all the software because I know what software is running on each system.” The first two Critical Security Controls are critical because they make all the other controls effective. The first two controls provide answers to the “how do you know” question. 

My experience was with regulators, but the issue is the same if a company gets breached, if data gets stolen, or even if you are just giving an accounting to executives or the board. Corporate executives, regulators, boards of directors and law enforcement will want assurances, even guarantees, that control measures are effective and complete. If the IT department doesn’t have a clear accounting of all the hardware, they cannot know that all the systems have been remediated. If IT doesn’t know what software is running, they cannot be sure the fixes will be effective everywhere. When reporting to the boss that “we fixed it” and she asks, “how do you know?” have a complete inventory of hardware and software. It’s a good way to start answering the question. 


Phil Richards has both breadth and depth of security experience. He currently is the Chief Information Security Officer (CISO) for Ivanti. He has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

In his security leadership roles, he has created and implemented Information Security Policies based on industry standards. He has led organizations to clean PCI DSS and SSAE SOC2 compliance certifications, implemented security awareness training, and established a comprehensive compliance security audit framework based on industry standards. He has led the organizations through GLBA risk assessments and remediation and improved the organizations risk profile. Finally, he has implemented global privacy policies, including addressing privacy issues in the European Union.

Transforming an organization requires focus on the objectives, clear communication, and constant coordination with executive leadership, which is exactly what Phil has focused on during his security career.

The opinions expressed in this blog are those of Phil Richards and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.