Page 1165 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1165

Obviously, these devices should be patched to prevent a repeat of this
               attack, but many manufacturers, organizations, and owners don’t

               patch IoT devices. Worse, many vendors don’t even release patches.

               Last, if an organization allows employees to use mobile devices (such
               as smartphones and tablets) within the organizational network, these
               devices should be managed too.


               Patch Management

               Patch is a blanket term for any type of code written to correct a bug or

               vulnerability or improve the performance of existing software. The
               software can be either an operating system or an application. Patches
               are sometimes referred to as updates, quick fixes, and hot fixes. In the
               context of security, administrators are primarily concerned with
               security patches, which are patches that affect the vulnerability of a
               system.

               Even though vendors regularly write and release patches, these

               patches are useful only if they are applied. This may seem obvious, but
               many security incidents occur simply because organizations don’t
               implement a patch management policy. As an example, Chapter 14
               discusses several attacks on Equifax in 2017. The attack in May 2017
               exploited a vulnerability in an Apache Struts web application that

               could have been patched in March 2017.
               An effective patch management program ensures that systems are

               kept up-to-date with current patches. These are the common steps
               within an effective patch management program:

               Evaluate patches. When vendors announce or release patches,
               administrators evaluate them to determine if they apply to their
               systems. For example, a patch released to fix a vulnerability on a Unix
               system configured as a Domain Name System (DNS) server is not

               relevant for a server running DNS on Windows. Similarly, a patch
               released to fix a feature running on a Windows system is not needed if
               the feature is not installed.

               Test patches. Whenever possible, administrators test patches on an
               isolated nonproduction system to determine if the patch causes any
   1160   1161   1162   1163   1164   1165   1166   1167   1168   1169   1170