How should CISOs handle security patching with IT administrators?

Symantec’s annual “Internet Security Threat Report” highlighted some major enterprise concerns, with one of the…


* remove unnecessary class from ul
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

* Replace “errorMessageInput” class with “sign-up-error-msg” class
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {

* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
return validateReturn;

* DoC pop-up window js – included in moScripts.js which is not included in responsive page
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {, “Consent”, “width=500,height=600,scrollbars=1”);

biggest being a lack of proper vulnerability patching. Specifically, the report stated that over the last three years, more than 75% of websites scanned by Symantec contained unpatched vulnerabilities. What should CISOs do to make security patch management a bigger priority for enterprises? Can CISOs work with IT administrators and website managers to tackle the problem, and if so, how?

Patching is a prevention measure that protects systems from unauthorized users, malware or errors that adversely affect normal processes. Products such as Microsoft Office, antivirus, network devices, Linux and Windows servers, midrange computing, and large mainframes all need security patching, program temporary fixes or updates. Updates are different from patches, but it’s helpful to discuss them since some updates not only provide enhancements to products but may also eliminate errors and possible vulnerabilities. Security patching can be automated but many organizations choose to selectively patch due to limited time or system availability constraints. Selective security patching is typically done manually during scheduled system outages.

Some organizations are diligent about security patching on Patch Tuesdays, while others may still have patches to implement that are over three months old. Most organizations make every effort to maintain current patches within 30 days of patch notices. However, there are a significant number of companies that do not consider patching a priority until the vulnerability has been exploited and results in an outage or breach, or until it’s required to attain a compliance with standards such as PCI DSS. Vulnerability scanners are helpful tools that can identify critical patches and provide enterprises with better patch management.

Security patching can and should be done by system administrators, but security teams may be in charge of monitoring critical security patches. Security teams may also request the testing and application of patches within the standard 30-day period. Where automatic patch updates are not used, patch implementation should be subject to the installation’s change control procedures.

In addition to maintaining current patch levels, enterprise CISOs should take certain steps to strengthen the patching process, including:

  • Outline a vulnerabilities and patching policy that the enterprise uses to handle the identification of vulnerabilities, roles and responsibilities related to patching activities, sources for identifying vulnerabilities and the sources for identifying required patches;
  • Establish a patching committee of technical management and staff who are responsible for identifying vulnerabilities and ensuring that the requisite patches or mitigating actions are prioritized and applied;
  • Update the patch management software that automatically keep desktops, laptops and remote users up to date with the latest security patches and software updates;
  • Subscribe to an alerting service — typically from vendors for software requiring patches — that will supply information of new vulnerabilities and associated patches; and
  • If it is subject to PCI DSS compliance, make sure the enterprise meets PCI DSS requirement 6.2, which requires all system components and software to install applicable vendor-supplied security patches within one month of release.

Security patching can be tedious and seemingly unrewarding work, but when they’re kept current, patches effectively — and without fanfare — prevent major vulnerabilities from being exploited. However, if security patching is neglected, eventually it will result in expensive interruptions that will require remediation resources after a breach or outage.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out this introduction to automated patch management software

Find out why software deployment tools and patching are critical to endpoint security

Discover the best combination of methods to make patch management easier

Dig Deeper on Business Management: Security Support and Executive Communications

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.

Source link


About the author


Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!