What is your strategy for patching and updates? Whilst it might be tempting to just leave your systems on auto-update, the alternative to manually delay updates to always be one behind the latest (also known as an N-1 update strategy), may also be a problem.

Updates and patching of software

Security and stability vulnerabilities are being discovered every day in software. The tricky hackers will try all manner of strange and unusual approaches to try and get software to fail. The software vendor may also take pre-emptive action to improve the security and stability of their software, and release updates. Or, they may just want to add in (or remove) functionality.

Patching and zero days

When a software vendor has become aware that there is a potential vulnerability, they then rush to deliver a patch. The time between the vulnerability being possible and the patch being made available is called a Zero Day vulnerability. If there is sufficient time (and reward / opportunity) for the hackers, they will develop an exploit. If you have not implemented a patch (or one is not available), and there is an exploit “in the wild”, then you are vulnerable.

N-1 patching strategy

Historically, there has been a desire to hold back from rolling out patches and updates, because there have been incidents where updates can cause more problems than they fix. IT teams have a dogma to hold back on installation of patches, until a new patch is released. For major products and significant updates (like Service Packs), it was previously common to not rush ahead and implement the latest version, but instead to be one version behind – or N-1.

READ ARTICLE:   Create AD login for vC Ops access

N-1 updates problems

Whilst it may have been prudent to keep behind the “bleeding edge” of software releases and updates in the past, now a new approach is required. The IT world is now a more dangerous place, with security vulnerabilities and attacks much more likely. If you take an N-1 strategy for updates, you are running software that has a known flaw and also an available fix.

With an N-1 update strategy, you are running software that has a known flaw and also an available fix.

One of the most significant security vulnerabilities is in running unpatched software – the malicious actors are scanning the Internet for any available systems that are running out-of-date software. When taking an N minus 1 approach, you are taking a strategic decision to be vulnerable, by policy.

Alternative approaches to N-1

I have previously mentioned the approach of N+45 for patches, but this may be too long to wait. My previous approach was to put in the latest update after a month and a half of it being available, to allow issues to be identified by the Internet community, or recalled by the vendor. However, with security updates and issues that could be remotely exploited, waiting 45 days is also too long. Updates should be applied rapidly, and after it has been identified that there are no significant issues reported online, with no need to wait for longer than 10 days, or for the next version to be released.

Share this knowledge