Control 3.5: Deploy Automated Software Patch Management Tools

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

Category

Technical

Purpose

Security patches are updates to a computer system’s operating system or installed software, and applying them are a basic part of IT maintenance. Just like patching the OS, patching these software applications is a basic part of cybersecurity. The patches from application developers may contain new features, but also contain fixes to recently discovered security vulnerabilities. Without a constant stream of security patches, old and insecure applications can have vulnerabilities exploited, and infected by malware that can read sensitive enterprise data, or simply destroy it.

Automation

Some operating systems can help to remind users to update certain applications, especially those obtained within the application market place that is part of the operating system. With today’s platforms, app stores are not just on mobile devices. Microsoft Windows 10 has an app store called Windows Apps and Apple’s store is called the Mac App Store. Both stores can be configured to automatically install software updates from the application developer that were initially installed via an app store.

Software obtained outside of an app store must be updated in an entirely different manner. Third-party software distributed outside the app store requires dedicated management software to patch it. In the end, keeping the total number of programs installed onto a computer to the smallest number possible helps with both management and security, by reducing attack surface.

Guidance and Tools

In many instances, it may be worthwhile to attempt to only install applications from the Microsoft App Store as updates to those applications can be more easily managed. Not all business applications will be available in the Microsoft App Store and this will likely only be a partial solution.

• Itarian: This package offers a free patch management solution for Windows (https://us.itarian.com/patch-management/free-windows-patch-management-software.php).
• Opsi: Opsi is a more complicated solution that can help to manage both Windows and Linux platforms (https://www.opsi.org).
• PDQ: The free tier can assist in keeping systems up to date (https://www.pdq.com).
• Microsoft Store: If applications are installed via the Microsoft Application Store, they can be set to be automatically updated (https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates).

Step-by-step instructions for implementing this Sub-Control can be found in: Automatic Application Updates via the Microsoft Application Store.