Reducing Internet-based intrusions: Effective security patch management

The Software Productivity Consortium (the Consortium) has been investigating methods for improving and measuring four essential defenses against Internet-based threats: security patch management, system and application hardening, network reconnaissance and enumeration, and tools against malicious software. These defenses increasingly are critical to an organization's information security posture and should be implemented in an effective, systematic, and repeatable fashion. Senior-level managers or executives should review process measurement data regularly to ensure that these defenses are being performed properly and to provide an objective basis for organizational improvement. This article focuses on lessons learned implementing improvements in the first of these defenses, security patch management, and is derived largely from pilot projects conducted in collaboration with Consortium members. The need for improved security patch management figured prominently in the recent draft cyber security strategy issued by the White House. The practices examined in this article can assist organizations in substantially reducing the risk from Internet-based compromises.