It goes without saying that patching and updating your systems is a necessity. No one wants to deal with the aftermath of a security breach because you forgot to manually patch your servers over the weekend, or your SCCM/WSUS/YUM solution wasn't configured correctly. So how do you craft a solid plan of attack for patching? There are many different ways you can approach patching, in previous posts I talked about what you are patching, and how to patch Linux systems, but we need to discuss creating a strategic plan for ensuring patch and update management don't let you down. What I've done is laid out a step by step process in which you will learn how to create a Patching Plan of Attack or PPoA (not really an acronym but looks like a real one).
Step 1: Do you even know what needs to be patched?
The first step in our PPoA would be to do an assessment or inventory to see what is out there in your environment that needs to be patched. Servers, networking gear, firewalls, desktop systems, etc. If you don't know what's out there in your environment then how can you be confident in creating a PPoA?? You can't! For some this might be easy due to the smaller size of their environment, but for others who work in a large enterprise with 100s of devices it can get tricky. Thankfully tools like SolarWinds LAN Surveyor and and SNMP v3 can help you map out your network and see what's out there. Hopefully you are already doing regular datacenter health checks where you actually set your Cheetos and Mt. Dew aside, get our of your chair and walk to the actual datacenter (please clean the orange dust off your fingers first!).
Step 2: Being like everyone else is sometimes easier!
How many flavors of Linux are in your environment? How many different versions are you supporting? Do you have Win7, XP and Win8 all in your environment? It can get tricky if you have a bunch of different operating systems out there and even trickier if they are all at different service pack levels. Keep everything the same, if everything is the same, then you'll have an easier time putting together your PPoA and streamlining the process of patching. Patching is mind numbing and painful, you don't want to add complexity to patching if you can avoid it.
Step 3: Beep, beep, beep.... Back it up! Please!
Before you even think about applying any patches, your PPoA must include a process for backing up all of your systems prior to and after patching. The last thing anyone wants to do is have a RGE on their hands! We shouldn't even be talking about this, if you aren't backing up your systems, run and hide and don't tell anyone else (I'll keep your secret). If you don't have the storage space to back up your systems, find it. If you are already backing up your systems, good for you, here's a virtual pat on the back!
Step 4: Assess, Mitigate, Allow
I'm sure I've got you all out there reading this super excited and jonesing to go out and patch away, calm down, I know it's exciting, but let me ask you a question first. Do you need to apply every patch that comes out? Are all of your systems "mission critical"? Before applying patches and creating an elaborate PPoA, do a risk assessment to see if you really need to patch everything that you have. The overhead that comes with patching can sometimes get out of hand if you apply every patch available to every systems you have. For some, i.e. federal, you have to apply them all, but for others it might not be so necessary. Can you mitigate the risk before patching it? Are there things you can do ahead of time to reduce the risk or exposure of a certain system or group of systems? Finally what kind of risks are you going to allow in your environment? These are all aspects of good risk management that you can apply to your planning.
Step 5: Patch away!
Now you have your PPoA and you are ready to get patching, go for it. If you have a good plan of attack and you feel confident that everything has been backed up and all risks have be assessed and mitigated, then have at it. Occasionally you are going to run into a patch that your systems aren't going to like, and they will stop working. Hopefully you've backed up your systems or better yet, you are working with VMs and you can revert back to an earlier snapshot. Keep these 5 steps in mind when building out your PPoA so you can feel confident tackling probably the most annoying task in all of IT.