Page 1166 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1166
unwanted side effects. The worst-case scenario is that a system will no
longer start after applying a patch. For example, patches have
occasionally caused systems to begin an endless reboot cycle. They
boot into a stop error, and keep trying to reboot to recover from the
error. If testing shows this on a single system, it affects only one
system. However, if an organization applies the patch to a thousand
computers before testing it, it could have catastrophic results.
Smaller organizations often choose not to evaluate, test,
and approve patches but instead use an automatic method to
approve and deploy the patches. Windows systems include
Windows Update, which makes this easy. However, larger
organizations usually take control of the process to prevent
potential outages from updates.
Approve the patches. After administrators test the patches and
determine them to be safe, they approve the patches for deployment.
It’s common to use a change management process (described earlier in
this chapter) as part of the approval process.
Deploy the patches. After testing and approval, administrators
deploy the patches. Many organizations use automated methods to
deploy the patches. These can be third-party products or products
provided by the software vendor.
Verify that patches are deployed. After deploying patches,
administrators regularly test and audit systems to ensure that they
remain patched. Many deployment tools include the ability to audit
systems. Additionally, many vulnerability assessment tools include the
ability to check systems to ensure that they have appropriate patches.
Patch Tuesday and Exploit Wednesday
Microsoft regularly releases patches on the second Tuesday of
every month, commonly called Patch Tuesday or Update Tuesday.
The regular schedule allows administrators to plan for the release
