Patches are inevitable security for all software applications. Ensuring updated patch security is possible only through effective patch management.
Cyber security threats are constantly evolving. While on one side cyber security professionals are trying to make the internet and IT world more secure, on the other side cyber criminals are trying to find out ways to identify new vulnerabilities and penetrate the defenses to eavesdrop, compromise and steal data.
Patches are issued by the operating system vendors, software application vendors (including antivirus solutions) and hardware vendors (they provide updates for firmware).
Vendors release patches when:
When vendors release patches they make an announcement. IT administrators must have a system to check for patch updates for the operating systems and applications. Manual checking is not feasible. An automated patch management system is needed. Not only do the patches have to be downloaded, but they also have to be applied.
There are several issues associated with this task. Promptly checking for any available patch updates. Downloading them and checking their integrity. Then applying them promptly. If a malware campaign is going on somewhere and the vendor associated with the application related to the breach releases a patch then this must immediately be applied without any delay. The time difference from the period when the security issue/breach has been identified to the period when the patch is successfully applied is called as the window of vulnerability. The longer the delay, the more dangerous it is for the IT systems.
Whatever dangers there may seem to be, a considerable portion of the IT industry does not apply patches promptly. Just around 60% seem to do it properly. Among educational institutions, the figure was even more pathetic — just around 20%. The critical question is that IT administrators in educational institutions are believed to be comparatively more informed.
There are a few valid reasons for not applying patches immediately
Enterprises must have an effective test system to check out the compatibility of the new patches before applying them to the production systems. This must be religiously followed or the price that may have to be paid would be quite high.
The complacency and delay in applying patches would cost the enterprise in terms of system down time, lost productivity, data loss/theft, litigation costs, and loss of reputation.
For an educational institution such as a university, a patch management system would provide great benefits. With the encouragement for BYOD, the variety of devices connecting to the enterprise network would be voluminous. The risk of vulnerabilities also increase proportionately and hence patch management is necessary for university IT security.