We put the IT in city®

CitySmart Blog

Friday, April 22, 2016
Nathan Eisner, COO

Nathan EisnerPatch management—what you might know as the applying of updates to software—is often an overlooked and even neglected task. Sometimes, cities may be too busy to apply them, don’t want to interrupt employees, or simply don’t think the timely application of patches is a big deal. Hey, as long as nothing breaks, right?

However, a recent story in the Atlanta Business Chronicle demonstrates exactly why patch management is important. Take something as innocent as a wireless keyboard and wireless mouse that you might use with your laptop. As Urvaksh Karkaria reports:

“Atlanta-based Bastille has discovered a vulnerability in wireless mice and keyboards that leaves billions of PCs and millions of networks vulnerable to remote exploitation via radio frequencies. Using an attack which Bastille researchers have named “MouseJack,” malicious actors are able to take over a computer through a flaw in wireless dongles, the company said in a statement.”
Scary, huh? Without applying patches and staying aware of security vulnerabilities, you expose yourself to unnecessary cyberliability. Here are some key considerations to help you think about the rigor of your patch management process. 

Patch management is an essential element of cyber protection.

As vulnerabilities are found, vendors create a fix and make a patch available. But those patches still have to be deployed or rolled out by your IT staff or vendor. Many patches fix security holes and bugs in software. Not applying patches means that you are leaving security holes open for hackers to exploit.

Sometimes, cities turn patching off because they are afraid that an update will break their software. This is bad because you’re not fixing security vulnerabilities. As cities (and all government entities) are continually held to higher cyber security standards, a simple ongoing task like patch management becomes essential.

You need IT professionals overseeing patch management and following rigorous procedures.

Do not think you’re doing patch management when employees download and install Windows Updates to their computers. Patch management needs oversight by IT professionals. For example, what happens if you install a patch and it breaks something in your software? Would you know how to uninstall it and revert back to a previous state? IT professionals know how to test and apply patches, understand which patches are appropriate, and use strict procedures if something goes wrong with a patch.

Non-technical employees aren’t able to test patches before applying them.

An amateur sees patches released by a software vendor and applies all of them. An IT professional knows that all patches aren’t created equal. Before applying patches, they test them to make sure nothing breaks or a software flaw isn’t introduced. In our case, we run vendor patches through a variety of server and desktop configurations to test for errors. We “green light” those that pass successfully and then install them on your machines. If a patch creates a problem in our test environment, we don’t apply it. Instead, we communicate the issue to the software vendor. We only skip testing when the patch is deemed so critical to your security that it must be immediately applied.

Patches need to be applied to all of your machines regardless of their location.

Patch management loses effectiveness when your employees or IT staff only apply them to machines on your network at your building and skip machines in other locations. Nowadays, modern patch management allows IT staff or a vendor the capability to apply patches to servers and workstations regardless of location. Yes, that means your computer gets patches applied even if you’re on the road or working from home.

The main takeaway? You need to make patch management a regular, important part of your IT maintenance. Generally, that means experienced IT staff or a vendor overseeing patch management as part of their regular, proactive duties.

Are you patching your servers and computers regularly? Reach out to us with any questions or doubts about your patch management process.