System administrators have the responsibility to ensure all system components (e.g., servers, firewalls, routers, workstations) and software are updated with critical security patches within 30 days of when they are released to the public.
*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.
“If there’s a legitimate reason an update can’t be applied, it must be documented.”
System administrators have the responsibility to ensure all system components (e.g., servers, firewalls, routers, workstations) and software are updated with critical security patches within 30 days of when they are released to the public. If not, these components and software are vulnerable to malware and security exploits.
One reason systems and software might be excluded from updates is because they simply weren’t able to communicate with the update server (e.g., WSUS, Puppet), possibly resulting from a network or system configuration change that inadvertently broke communication. It’s imperative that system administrators are alerted when security updates fail.
If there’s a legitimate reason an update can’t be applied, it must be documented. There are scenarios in which a critical update cannot be applied and actually introduces security issues when applied. This scenario has happened in Cisco environments and emphasizes the importance of proper functionality and organizational testing prior to wide update deployment(s).
When developing software (e.g., web applications), it’s crucial that organizations follow the OWASP guidelines.These guidelines will help them in their web application development process to enforce secure coding practices and keep software code safe from vulnerabilities (e.g., cross-site scripting (XSS), SQL injection, insecure communications).
Consider where your software libraries are coming from: are they from trusted sources? Organizations should regularly review the open source libraries they use to verify compromises have not been introduced by attackers.
Secure communications are constantly evolving as weaknesses are discovered. Support for and use of TLS v1.3 is expanding.Recently the lifespan of TLS certificates was shortened.
Organizations need to embrace the idea of change control for their software development and system patching/updating. There are four requirements of what a proper change control process should contain:
.svg)
