If you didn't find what you were looking for, try a new search!
Unpatched Vulnerabilities In today's digital-first world, the landscape of cybersecurity threats is evolving at an unprecedented pace. Among the myriad of vulnerabilities that organizations face, unpatched software vulnerabilities stand out as one of the most significant and [...]
What is Patch Management? Patch management is a critical practice to ensure the security, stability, and compliance of computer systems. It involves a systematic approach to identifying, evaluating, testing, and deploying patches while minimizing disruptions to business operations. However, [...]
What is Enterprise Patch Management (a.k.a. the application of software security updates according to NIST SP 800-40r4)? The National Institute of Standards and Technology (NIST) just released Report 800-40r4: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. [...]
Many organizations continue to find themselves between a rock and hard-place when it comes to consistently applying security updates or “patches” across their environments. On one hand, they recognize their unpatched software exposes them to risk of a disruptive and [...]
Alvaka Networks has arguably the best and most sophisticated patch management process in the Orange County, Los Angeles County and possibly the US. Not many firms can deploy vast quantities of patches to valuable high availability servers and PCs with smoke testing qualify control while following the sun globally during selected narrow service windows.
Change Management
Change management is vital to every stage of the patch management process. As with all system modifications, patches and updates must be performed and tracked through the change management system. It is highly unlikely that an enterprise-scale patch management program can be successful without proper integration with the change management system and organization.
Like any environmental changes, patch application plans submitted through change management must have associated contingency and backout plans. What are the recovery plans if something goes wrong during or as a result of the application of a patch or update? Also, information on risk mitigation should be included in the change management solution. For example, how are desktop patches going to be phased and scheduled to prevent mass outages and support desk overload? Monitoring and acceptance plans should also be included in the change management process. How will updates be certified as successful? There should be specific milestones and acceptance criteria to guide the verification of the patches' success and to allow for the closure of the update in the change management system....
Firewall patching (updating firmware) is one of the most prudent aspects of network security management that, if neglected, can have dire consequences for your company. Now more than ever, consistent firewall patching is a must have for every business, big [...]
Alvaka Network Solutions Vulnerability Management as a Service Alvaka offer a suite of technologies which ensure the integrity of your network, 24 hours a day, 365 days a year Learn more [...]
Overview of Windows/Internet Explorer Security Patch Microsoft has advised Windows/Internet Explorer users to install an “emergency” out-of-band security patch (i.e. not released on patch-Tuesday) for a recently detected Zero-Day-Exploit (i.e an exploit that has already been actively used prior [...]
Oli Thordarson, CEO of Alvaka Networks, begs to differ... This is an interesting article I read in ZDnet, Cybersecurity: One in three breaches are caused by unpatched vulnerabilities, about software vulnerability patching. I found it interesting because I took [...]
And Why Executives Should Care... Threats to network security seem to get announced weekly. Global ransomware attacks like WannaCry cause havoc around the world and billions of dollars in losses. Businesses are actually shuttering due to network attacks that [...]
Smoke testing is a term used to describe the testing process for servers after patches are applied. The process typically involves making sure servers are rebooted in the right order, making sure they have completely rebooted, restarting applications in the right order, and then testing to be certain everything is working properly when users return to work in the morning.
This typically takes 30 minutes per server, depending upon your environment.
PCs are not typically smoke tested, or if so, not all of them.
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
There are many variables to consider. Some are:
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour. Of course, rates of pay, taxes and benefits will vary from city, state and company; but 30% is usually a good number to use. Don’t forget to account for time-and-a-half or after-hours rates of pay if patching is being done in the late evening, early morning, or weekends (in order to avoid impacting user productivity).
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
If you are presenting to management for a budget, and using this calculator as the basis for a Return on Investment (ROI), you will need to do more homework. An ROI measures as a ratio of the cost of investment against its expected benefit. For patching, calculating benefit can be very difficult to determine. How do you measure the cost of a system breach you have not yet had? You can estimate what expenses, penalties, and losses a company might incur when a breach occurs; but there is no certainty of a breach event and what those costs actually are. There are also regulatory compliance issues and/or potential fines for not patching, but those, too, can be vague. For calculating these potential risks and costs, it is advisable to enter into a discussion with your management team.
