Server Patching Best Practices
March 4th, 2021
You see the notification for an OS update on your phone or computer. You delay it until tomorrow because you’re in the middle of your workday and updating means you might be late for your next meeting. Tomorrow becomes the next day, and the next day becomes next week. We’ve all done it – delaying our software updates until it’s most convenient for us. But how does this affect our software?
When a software company finds a weakness in their system they will release updates to close them accordingly. This is an example of a common patching strategy. Sometimes apps even have updates that run in the background automatically. They generally don’t ask for permission to run because lots of people will delay them.
The result of not updating and maintaining your phone or computer is similar to developers not keeping up with server checks and repairs: a vulnerable system. Outdated software is prone to security and performance issues, and the server is what a website or app relies upon for data storage and full functionality, which is why it’s incredibly important that we update it whenever something is flagged.
Coretechs’ regular patching strategy cycle:
Coretechs maintains hundreds of servers. We do so successfully through the implementation of several processes that keep us on top of patching and security. Those procedures include weekly team assessments of sources and reports, scheduled patching checks, and more:
- We complete server patching reports depending on the timeframe necessary – whether that be every month, quarter, or year. We also have a proper inventory of all-new servers and things we need to monitor. A big part of this process is understanding and knowing which elements of the server to track.
- We stay on top of what we need to monitor and have multiple people sign off on the reports. We do this especially at the beginning of the development process to make sure we are looking at the right elements and making necessary changes when applicable.
- The patching check interval cycle is set depending on what the client wants. We check the majority of our systems once a quarter and apply updates as necessary. Conversely, for some clients we don’t handle everything. We may only monitor the framework version and not the OS due to the platform it’s on or the client has a separate process to handle patching.
- We go about keeping track of things by meeting every 3 weeks to review patching strategy reports. Our team will go through the patching list and delegate any updates to team members. Equally important, we actively follow up to make sure all updates are applied. Some updates are very straightforward, and some are more complicated.
- In addition, we have a weekly patching fixes check and complete status updates utilizing the sources below as a reference.
- Our team participates in a monthly “Patch Tuesday” Microsoft Windows & Workstation patching check.
A good example of why these checks and all listed in this post are so important is explained in the New York Times’ article concerning a recent Microsoft security breach:Sanger, David E., Barnes, Julian E. Perlroth, Nicole. “White House Weighs New Cybersecurity Approach After Failure to Detect Hacks”
“The full extent of the damage to American interests from the hacks is not yet clear, but the latest, attributed by Microsoft to China, is now revealing a second vulnerability. As Microsoft releases new “patches” to close the holes in its system, that code is being reverse-engineered by criminal groups and exploited to launch rapid ransomware attacks on corporations, industry executives said. So a race is on — between Microsoft’s efforts to seal up systems, and criminal efforts to get inside those networks before the patches are applied.“
Authoritative Sources that we check on a weekly basis:
- CISA Weekly Email: We check CISA’s bulletin weekly for any new information on vulnerabilities.
- WordFence Blog: We check this blog for any new information on the WordFence security plugin, as it is used on many WordPress sites.
- ManageWP: We check ManageWP for any flagged WordPress plugins and use the dashboard to keep an eye on things.
- Django Security Updates: We check here for any new information from Django about security updates.
- Microsoft Security Releases: We check this list for any new information from Microsoft on security updates.
- Debian Security Update List: We check here for any security updates about their operating system.
“Our main goal is to make sure anything and everything is on our radar. With this purpose in mind, our team looks for anything out of the ordinary while reviewing these sources. If we see any reported issues, we work quickly to find a solution and act on it. ”
James Bloomer, Vice President of Coretechs Consulting
There are some exceptions to our normal cycle of patching strategy checks and updates.
- Zero-Day Exploits: If we notice a zero-day exploit, we address it right away with hotfix patches to every system affected. Otherwise, it will trigger things to go out of order. This is an issue that takes precedent, and our team will “drop” everything to make sure it is handled efficiently and effectively.
- No longer supported: Perhaps a major branch or version of the technology is no longer supported. This means it will need to be migrated to a newer version. An example would be when CentOS was flagged to be no longer supported. This change wasn’t going to happen in the immediate future after it was announced. However, to be prepared we immediately began IDing systems and slowly migrating systems over to the newer version. We monitor big changes even if they are years in advance to smoothly and slowly handle things so there’s not a last-minute frenzy to patch.
Finally, staying up to date with all relevant sourced documentation as well as our own internal logs keeps all of our servers running smoothly. All of these sources and regular checks are a priority of ours to keep your servers and websites secure.
If we can assist you with monitoring your server in any way, contact us today!