GUEST ARTICLE Patch and Vulnerability Management – What You Need to Know By Jason Schaller, My Rogue Network Most businesses do not understand the difference between patch management and vulnerability management. To make matters worse, IT departments and Managed Service Providers habitually use them interchangeably, which may negatively affect your cybersecurity program’s effectiveness. While patch management and vulnerability management maintain a compatible relationship, they have separate duties, and may impact your organization’s IT risk. What is Patch Management? Patch management applies software updates to fix specific problems a manufacturer found in their product. When speaking of patch management, most people think of Microsoft and the monthly reminder to reboot to apply patches to their computer. However, that is only the beginning. Individual software on a computer also needs to be patched. Software like Java, Adobe and web browsers also need to be patched, as do hardware and networking appliances such as firewalls, switches, routers, and firmware on computers and servers. Although vulnerability management is a larger topic than patch management, it complements patch management by detecting whether IT personnel applied patches correctly. What is Vulnerability Management? Vulnerability management is discovering, prioritizing, reporting and remediating vulnerabilities across the network infrastructure. A common misconception is that a patched system has no vulnerabilities. Unfortunately, patches do not mitigate all vulnerabilities. Sometimes a person needs to complete a complicated task to fix a vulnerability. That was seen by guidance from Microsoft on May 30, 2022, with the Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190). At the time this article was written, Microsoft does not have a patch for this vulnerability and work must be done to the Windows Registry to fix it. If an organization is simply doing patch management, they would have a false sense of security that vulnerabilities do not exist. A properly configured vulnerability management program would detect the vulnerability and inform you know that additional work is needed. Do I need Patch Management and Vulnerability Management? A good cybersecurity program should be prepared to handle both patch management and vulnerability management. Think of vulnerability management as doing double duty in your organization. It is there to “audit” your patch management while educating you on additional IT risks to your organization. Now is the time to ask your IT department or Managed Service Provider about how vulnerabilities are being detected, prioritized, reported and remediated. On top of that, you should be seeing reports on what was patched versus what is still outstanding. Do we install all patches and mitigate all risks? Your organizations should see reports on patching, vulnerabilities and their remediation so business decisions can be made about IT-based risk. However, there should be a process to “accept risk,” as not all patches may be able to be applied and some vulnerabilities may not be remediated. For instance, you may need to run an outdated web browser or Java to have a legacy system continue to function. Running an outdated version of software comes with risk, which management throughout the organization Continued on page 20 The Community Banker 19
RkJQdWJsaXNoZXIy MTU2Mjk4Mw==