Once a patch is released by a vendor, and the associated security vulnerability has been assessed for its applicability and importance, the patch should be applied and verified in a timeframe which is commensurate with the risk posed to systems and the information they process, store or communicate. Doing so ensures that resources are spent in an effective and efficient manner by focusing effort on the most significant risks first.
When patching, organisations may be concerned about the risk of a patch breaking systems or applications and the associated outage this may cause. While this is a legitimate concern, and should be considered when deciding what actions to take in response to security vulnerabilities, many vendors perform thorough testing of all patches prior to their release to the public. This testing is performed against a wide range of environments, applications and conditions. Often the immediate protection afforded by patching an extreme risk security vulnerability far outweighs the impact of the unlikely occurrence of having to roll back a patch.
It is essential that security vulnerabilities are patched as quickly as possible. Once a vulnerability in an operating system, application or device is made public, it can be expected that malicious code (also known as malware) will be developed by adversaries within 48 hours. In fact, there are cases in which adversaries have developed malicious code within hours of newly discovered security vulnerabilities 1 2.
The following are recommended timeframes for applying and verifying patches based on the outcome of risk assessments for security vulnerabilities:
- extreme risk: within 48 hours of a patch being released
- high risk: within two weeks of a patch being released
- moderate or low risk: within one month of a patch being released. In situations where resources are constrained, organisations are encouraged to prioritise the deployment of patches.
For example, patches could be applied and verified for at least workstations of high-risk users (e.g. senior managers and their staff; system administrators; and staff members from human resources, sales, marketing, finance and legal areas) within 48 hours, followed by all other workstations within two weeks.