Marlon Ortiz

Change Management

I’d like to talk about an important topic: patch management as a subset of the change management process. First, we need to realize that we make changes on live production systems. To guarantee the proper balance between security and the potential risk of creating unforeseen downtime, patch management should be part of a strong change management methodology.

Change management should cover, at minimum, a standard set of processes including project ownership and governance, end-user feedback, testing approach, deployment roll-out plan, contingency roll-back plan, monitoring and formal documentation. Please note the importance of clear and timely communication between all affected business units, as well as having accurate and proper documentation in accordance with approved policies.

With that out of the way, let’s talk about patch management from a security perspective. Our data processing infrastructures are very complex. They are made of many intricate components: network gear, relational databases, directory services, applications, operating systems, hardware, software, firmware, and more. All these components, by their complex nature, have vulnerabilities that require constant software updates to prevent any exploitation by malicious adversaries.

Symantec Corporation did a study that found the number-one technique used by hackers to breach a company’s network was the exploitation of system vulnerabilities, followed by default password violations, SQL injections and targeted malware. The Australian Defence Signals Directorate, an Agency of their Department of Defence, is charged with providing Information Security (INFOSEC) services to the Australian Government. This agency identified the top four strategies that have the potential to mitigate at least 85 percent of intrusion techniques – whitelisting, application patching, operating system patching and minimization of system administration privileges. As we see how important patch management is in our security posture, let’s have a brief overview of what are considered the minimum components of this process.

System components, by their complex
nature, have vulnerabilities that
require constant software updates
to prevent any exploitation by
malicious adversaries.

System components, by their complex
nature, have vulnerabilities that
require constant software updates
to prevent any exploitation by
malicious adversaries.

Courtesy of iStock

  1. Know your environment. It is very important to complete an audit of all your assets. Every component that makes up your production environment needs to be identified and documented. We tend to narrow our efforts to patching applications and operating systems, sometimes forgetting that there are hardware/firmware components that pose a greater security risk. In 2015, Cisco did a sample analysis on 115,000 Cisco devices on the Internet and found that 92 percent of those devices were running with known vulnerabilities. Right now, there is an industry trend of implementing Internet of Things (IoT) devices on our environments (smart environmental controls, smart lights, smart TVs, etc.) without a proper understanding of the complex risk they bring to our environments. Please do an Internet search of “how a fish tank helped hack a casino” for an actual case study.

Courtesy of iStock

  1. Expand on the audit by grading the potential security risks to assess exposure. Some critical systems may require a shorter patch cycle than other non-critical systems that may be fine with a longer patch cycle. Also, there is the possibility that some systems or applications can’t be patched, (e.g. no availability of patches for legacy systems still critical to business operations, incompatibility of software patches on production environments, etc.) and as a result, you are forced to live with this residual risk. In these cases, remember the importance of having proper mitigation controls in place.
  2. Testing. It is probably one of the most critical steps in this process. We need to make sure the proposed patch is not going to create business disruption. If you have the resources, invest in an end-to-end test environment that mirrors your production infrastructure. That means the same version of applications/operating systems are running on the same type of hardware and have the same configuration settings. If you don’t have the resources, try virtualization. There are several software tools that can help simulate your environment. Another option worth considering is to hire a company that provides patch management and testing services.
  3. Deployment. This step requires a balance between manual and automated software tools. Some systems are so mission critical that the safest approach is a manual patch cycle. For the rest of our infrastructure, only automated software tools will help us be consistent in the application of these patches across our complex environments.
  1. Verification. It is always a good practice to validate that all software patches are successfully deployed. It’s also good to follow best practice by doing a vulnerability scan to verify that the applied patchwork closed identified vulnerabilities and didn’t create new ones.
  2. Documentation. This final step, proper documentation, should update the baseline configuration to include the applied patches, and it builds on the history of the patch cycle. This historical documentation is very important during audits or litigations because it shows due diligence on the part of the security team.

These steps should cover the basics. Remember, patch management is only a subset of change management. There is no need to reinvent the wheel because there are many resources that expand on these processes. Find these resources and select the best practices to apply in your environment.

There is one last note I’d like to point out. Your patch management cycle and, for that matter, your security posture, should extend to whatever personal devices your employees use – whether at home (home routers are notoriously weak) or on the road – to access corporate systems and applications.

Marlon Ortiz, Information Technology Professional. Creative professional with 20+ years of information technology knowledge in the gaming and hospitality industry. Highly skilled in information security, project management and planning with a strong background in data management, security, analytics and technical strategy. A proven leader who understands that the value of IT lies in delivering solutions to complex business problems within the Gaming and Hospitality Industry. A leadership style that emphasizes the development of people, processes and tools to achieve specific strategic business goals. Focused on connecting IT to other departments within the corporation and delivering effective solutions for business costs and operations. An executive who excels in a fast-paced organization and is ready to take on the challenges that comes with that environment. Marlon possess a Master’s in Cybersecurity and Information Assurance from The Pennsylvania State University. Previously held high level IT Management positions at American Casino and Entertainment Properties, the Morongo Casino Resort & Spa, Harrah’s Entertainment and Aztar Corporation. Contact Marlon.