In: Computer Science
1. When thinking about patch management, in your own words discuss the issues with patch management and how virtualization might assist with some of these issues.
2. A security policy is a document that states how the organisation plans to protect the organisations information Technology assets. In your own words, state how a security policy affects the organisation's culture and the two things the policy must balance.
Q1).
Ans :
What Is Patch Management?
Patching software tends to be an annoyance for end users—and all too often, recommended patches go ignored. At the same time, admins may find it difficult to ensure all systems are adequately patched. Software patches and updates are of paramount importance, as they can prevent your software and systems from being vulnerable to bugs, malware, and major issues.
Using patch management software can help you ensure every device on your network is up to date. I find it works extremely well to keep my systems secure and reduce the attack surface intruders can target.
You may be wondering: what is patch management? For most patches, the vendor will release a patch and you’ll be notified an update to the software is available.Patching one piece of software from one vendor is usually a simple process, but if youhave a lot of devices with numerous programs, or you want to make sure all your devices are patched at the same time, you’ll need to have a patch management plan and use patch managementsoftware. Especially if parts of your system are physical, some are virtual, and some are cloud-based, you might need a special tool to keep tabs across this hybrid environment. Patch management software can help you apply these patches across your entire system in one go, instead of having to apply each patch to each application individually.
Patch management consists of scanning computers, mobile devices or other machines on a network for missing software updates, known as “patches” and fixing the problem by deploying those patches as soon as they become available. Patches are a type of code that is inserted (or patched) into the code of an existing software program. It is typically a stop-gap measure until a new full release of the software becomes available.
Patches are created by software companies when they know of an existing vulnerability and ensure that hackers don’t use that vulnerability to break into your corporate network.
In patch management, an individual team or an automated software determines which tools need patches and when fixes need to be made. Many times, installation can be done to a central administrative computer and be reflected across all other devices. In some cases, patches have to be installed separately on different devices – especially if the patches are for software installed only on a few computers.
Patch management also involves determining which patches are essential and when they should be installed on a system.
Patch management acquires, tests and installs multiple code changes to administered computer systems to keep them updated. The process also determines the appropriate patches for each software program and schedules the installation of the patches across different systems.
Patches are necessary to ensure that the systems are fixed, up to date and protected against security vulnerabilities and bugs that were present in the software. Failure to patch makes a network doubly vulnerable – not only is the vulnerability there, but it has now also been publicized, making it more likely to be exploited by malicious users, hackers and virus writers.
Why Is Patch Management Important?
Patch management may not sound critical, but it can be one ofthe most important aspects of both the productivity and security of your entire system. There are several different reasons why patching and updating are important, and several other reasons why you should use an automated tool to complete this process.
First, patching is important to ensure all yoursoftware is functioning correctly and in the most efficient way. Sometimes when software is out of date, it doesn’t work properly and might be slow or crash often. You need to update it for these problems to be fixed. The longer you go without updating these kinds of issues in an enterprise setting, the more productivity losses result.
Oftensoftware or other parts of your infrastructure will get new features as the vendor develops their product further.Updating and patching your software will add these new features, allowing you to keep up with the latest innovations. In a competitive business environment, you don’t want to end up behind your competitors because your software is out of date.
Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Here are a few reasons why patch management is a critical expenditure in almost any IT budget:
Security
Security is the most critical benefit of patch management. Network security breaches are most commonly caused by missing patches in operating systems and other applications. Comprehensive patch management can guard against vulnerabilities across different platforms and operating systems – including Microsoft®, MAC OS X® and Linux® operating systems, Amazon Web Services (AWS), other cloud platforms – as well as third-party applications.
BYOD
The emergence of “bring your own device,” or BYOD, has opened up a whole new avenue of opportunities for cyber-attackers. Employees increasingly use their personal and office devices interchangeably to do their work – requiring personal devices to be protected as well. A good patch management software installs patches across all devices, regardless of their physical location. In the process, it addresses many of the challenges that come with using personal devices.
Productivity
Computer crashes due to defective software can still happen and this eventually leads to lower productivity levels. A patch, on the other hand, reduces the possibility of crashes and downtime, thereby allowing workers to do their tasks without interruptions.
Compliance
Cyberthreats have become commonplace and this is why regulatory bodies are mandating that businesses apply the latest patches to avoid these threats. Noncompliance can lead to stiff penalties, so a good patch management strategy is necessary to comply with these standards.
Feature updates
Patches are not always about fixing bugs. They can also include new features and functionality that can tap into the latest innovations of the software. Companies are constantly working on new features and sending new functionality in the form of patches, so downloading and installing them can help you work better and smarter.
Perspective about the business environment
Patch management can provide an overview of your current business environment. Many times, vendors stop sending patches for their software because they are working on the next version, or the company has gone out of business and is not producing bug fixes. It’s wise to stop using software that no longer has technical support. Patch management helps to identify such software, so you know when to change to new software.
Patch management step-by-step
Installing the latest updates is not the most effective process of patch management. In fact, every tool should follow a detailed set of steps to ensure that the end result is economical, efficient and effective.
Here are some keys steps to developing an up-to-date inventory of the existing devices:
Create a patch management policy.
Scan the network and devices on a regular basis to identify vulnerabilities and missing patches.
Validate the successful deployment of the downloaded patches in a testing environment and check for any incompatibilities or performance issues.
Apply the patch across the entire organization, if no issues were uncovered during the testing phase.
Create detailed documentation and reports about patch download, testing and installation for auditing and compliance.
Patch Management Best Practices
Network and device inventory: First, take a thorough andaccurate inventory of your entire infrastructure. This means you need to know every device on the network, how it connects to other devices, which operating systems and applications are installed, and what versions you have of each component.It’s common for a network or system to be compromised because of old hardware or software someone has forgotten. Numerous tools are available for small businesses and enterprises to scan their infrastructure and take stock of your entire inventory. This type of scanning should be done regularly and checked for accuracy, to ensure as new devices and applications are added, the inventory doesn’t become out of date.
Standardization: Once you have athorough inventory of your network and devices, consider standardizing devices and applications wherever possible. If you can make sure all your devices run the same operating system, use the same hardware, are configured the same, and run the same applications, when it comes to patching and vulnerability detection, you’ll be able to complete this process more quickly. Obviously not everything in the infrastructure can be standardized, but whatever steps you can take towards this goal will help you ensure your patch management process is more efficient.
Risk assessment: Completing athorough risk assessment of your systems is the next step in ensuring your patch management process runs smoothly and effectively.Without knowledge of your vulnerabilities and possible risks, you cannot target patches and updates properly. You need to look at vulnerabilities from several perspectives. First,how severe would any possible threatbe, how vulnerable are your systems to this type of threat, and what would the impact be? You can then classify your devices or network sections into groups by level of threat and ensure patching is applied to each device or application on a schedule matched up with how high the risks are to that part of your system. This will remove unnecessary interference with low-risk parts of the system and ensure the most vulnerable parts are checked and patched the most regularly.
Regular scanning and monitoring: Next, toperform appropriate patching and updating, you need to be regularly scanning and monitoring your systems.You can use monitoring tools to determine which parts of your system are missing critical patches. In addition, ensure you keep an eye on vendor patch release schedules and look out for when new patches are available. A patch management tool can also scan for these things and let you know when new patches are available to be applied.
Patch testing: If you’re creating your own patches, you need to make sure they’re thoroughly tested. Ensure you test how a patch applies to your system before you deploy it to your entire network. Some patch management software has pre-tested patches it can apply, so you can feel confident the patches you’re going to use are already confirmed to work properly.
Common Patch Management Problems
Unexpected Patch Failures
When installing new patches on systems, there are a number of things that can go wrong. From compatibility problems with existing software components, to weaknesses within the patch itself, these failures leave your system open to vulnerabilities.
Sometimes the cause of a patch failure is as simple as you installed the patch and forgot to reboot the system. Other times, it is not so simple. If your internal IT support is struggling, or you simply are relying on yourself to fix this problem, you can quickly become frustrated and confused.
Outsourcing your patches and updates to a managed services provider like Orion helps to avoid these common patch management problems. By having access to the latest patch management technologies and proactively maintaining your infrastructure your support can detect the vast majority of issues detected before they are installed on your system. This reduces the likelihood of a patch failure from the beginning.
Lack of Mobile Control
As we mentioned in our blog post about Mobile Security, controlling mobile devices is a huge challenge for IT managers. The concerns around mobile devices do not stop at security, however. The ability to implement patches and updates to keep corporate data secure on a mobile device that may or may not be company owned are very common patch management problems.
A managed patch provider that can provide holistic mobile device management can take care of this for you as well. Through controlling the devices end-to-end, you can ensure that data leaving your building on a tablet or mobile phone will be secured as well.
Manual Patching
Bottom line, manually patching every application on every system in your company isn’t a practical solution. This is especially true in large businesses where the application inventory typically ranges from hundreds to thousands. In a perfect world, sure, IT would have the time and resources to do each of these updates one at a time. But this is not a perfect world.
Good news about this is that for a majority of the time, manual patching is not even necessary. A managed patch provider can remotely implement most patches needed within organizations, alleviating internal teams from having to do so.
Regulatory Compliance Requirements
Effective and timely patch management plays a vital role in ensuring that your organization can meet industry-specific compliance requirements. This adds an extra layer of concerns and headaches for IT professionals.
Outsourcing your patch management needs to a MSP will also alleviate you from having to worry about compliance requirements. Compliance requirements, such as those associated with HIPAA, PCI, PII, SOX, and others, will be engrained into your SLA which will define how patches are handled across your organization.
Q2)
Ans :
Information Security Documentation:
The Information Security Policy applies to all organization information systems not just to those provided by ITS. It is a definite course of action adopted as a means to an end expedient from other considerations. The policy does not cover hardware/software specific issues as these are covered in the Information Security Standards and Procedures. The policy contains a statement clearly stating a course of action to be adopted and pursued by organization and contains the following.
Information security can be seen as balance between commercial reality and risk.
Foreword
The information Security Policy contains a foreword by the CEO explaining the reason for the policy.
Scope
The scope of the document relates to all of organization Information assets not just those on the main frame.
Policy statement
The policy statement is just that a statement of intent.
Objectives
The objectives outline the goals for information security. As you can see they are quite extensive and will continue to be added to as new technologies are introduced.
Statement of responsibilities
This is an important section as it outlines who is responsible for what, right from the board of directors.
Information Security Standards and Guidelines
A standard can be defined as a level of quality, which is regarded as normal adequate or acceptable. For the purpose of the information security standards is defines the minimum standards, which should be applied for handling organization information assets. The standards documentation contains various chapters relating to USERIDs and passwords, emergency access, communications etc.
The information security Standards should be used as a reference manual when dealing with security aspects of information. It contains the minimum levels of security necessary for handling organization Information Assets.
Information Security Procedures
Procedures can be defined as a particular course or mode of action. They describe an act or manner of proceedings in any action or process. The procedures explain the processes required in requesting USERIDs, password handling, and destruction of information. The procedures for requesting USERIDs or access changes will be conducted in the future via E-mail with easy to use templates that prompt the requester for all the information required. Requests can be expedited in a matter of minutes providing greater productivity for all concerned.
The Information Security Procedures can be described as the “action manual”. It contains the following sections on how to.
▪ USERIDs Request Procedures This section outlines in detail the steps required to request access to the system or, change access or suspend/delete access. There are clear easy to follow steps with diagrams of the panels you will encounter and instructions on how to complete the different fields. There are individual sections on good password procedures, reporting breaches of security and how to report them.
▪ Personnel Security Procedures This section outlines personnel security procedures for hiring, induction, termination and other aspects of dealing with information security personnel issues.
▪ Disposal of Sensitive Waste The disposal of sensitive waste is indeed a high profile one at the moment especially in light of recent stories in the popular press. It is amusing to see what is on the back of the reused computer paper that comes out of the kindergarten.
Why Do You Need a Security Policy?
Who is responsible for securing an organization's information? Perhaps the Research and Evaluation department? Not exactly. The Management Information System (MIS) staff? Wrong again. Ultimately, it is not only individual employees or departments that are responsible for the security of confidential information, but also the institution itself. It is, therefore, incumbent upon top administrators, who are charged with protecting the institution's best interests, to ensure that an appropriate and effective security policy is developed and put into practice throughout the organization.
While policies themselves don't solve problems, and in fact can actually complicate things unless they are clearly written and observed, policy does define the ideal toward which all organizational efforts should point. By definition, security policy refers to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization's system and the information included in it. Good policy protects not only information and systems, but also individual employees and the organization as a whole. It also serves as a prominent statement to the outside world about the organization's commitment to security.