We spend a lot of time each month discussing the technical details surrounding vulnerabilities, software updates, and the tools we use for patch management in our organizations. But in the end, the success of patch management is dependent on the coordination of all the people involved.
This month, I’ll look at some of the major players involved in the patch management process. Don’t get hung up on the job titles I choose because they may not be the same for your company. Rather, consider the roles and motivations associated with each job. And keep in mind that large corporations often have the luxury of large teams with well-defined roles, whereas small companies may compress these roles into teams of one or two people.
At a central position within a company, there is often someone in the role of a security analyst. This analyst is responsible for collecting vulnerability results and analyzing them in terms of applications and groups of systems. The analyst is also responsible for prioritizing the remediation of these vulnerabilities to lower the risk to the company and ensure both internal and external service level agreements can be met.
The security analyst works very closely with the traditional IT administrator. This administrator is responsible for taking the recommendations from the analyst and putting them into action. This individual conducts the actual patch operations and confirms the service level agreements are met.
Business units are often organized around a specific function and rely upon a set of special applications. These business units often have an assigned application owner and application administrators. Their duties are to ensure the stability and performance of these applications. This includes having a detailed understanding of the associated vulnerabilities for these applications and ensuring they are remediated to prevent negative business impact.
It is critical that these application owners and administrators have a direct and ongoing channel of communication with the security analysts and IT administrators to ensure they are in ‘lock step’ as they identify critical vulnerabilities, prioritize the patches, and execute the updates to protect their infrastructure.
The end users in the organization usually want little or no involvement with any of this process. They want their laptops or desktops to be available when they need them, so they can focus on their jobs and be productive. However, it is imperative they have the security awareness training to recognize any threats to their little ‘nirvana’. Phishing attacks with a ransomware lockdown can rapidly end a productive day. These users still have a responsibility to communicate any potential security issues to their management or the company security professionals.
Here’s what we can expect next week for February Patch Tuesday.
February 2021 Patch Tuesday forecast
- Microsoft should be ramping up for the year and we will see more vulnerabilities addressed than in January. In addition to the Windows 10 and legacy operating systems, updates for Office, Microsoft 365, and the associated SharePoint server will be released. The Edge browser updates have been hit or miss each month, but I would expect one. We saw a rare SQL server update last month, so I don’t anticipate one this month. We are almost guaranteed service stack updates (SSU) each month.
- We start our second year of extended security updates (ESU) for Windows 7 and Server 2008 this month. Expect the security-only and monthly rollup patches as usual.
- Adobe made a pre-notification announcement for an Acrobat and Reader security update under APSB21-09 for next week.
- Apple released security updates for Safari and Big Sur at the beginning of February, and an iCloud update at the end of January. We may see an iTunes security release for Windows next week.
- Google Chrome was updated to 88.0.4324.146 for Windows, Mac and Linux this week, which included 6 security fixes. There may be a minor update next week.
- Mozilla released a security update for Firefox 85, Firefox ESR 78, and Thunderbird 78 at the end of January. I wouldn’t be surprised to see another security update next week.
Security communications across your organization are a vital part of the patch management process. Consider your communications as we approach this patch Tuesday to see if there is room for improvement.