Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Patch Management Guidance from NIST

The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40.  The latest release takes a broader look at enterprise patch management than the previous version, so well worth the read.  

Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software".  Additionally, Patch Management is something that is required by many of the cyber security standards currently in use, such as CIP and DIACAP, and is often a finding associated with audits of said standards.  The document not only talks about patch management in the enterprise, it also talks about risks associated with enterprise patching solutions being used today.

Section 3.3 is of particular interest to anyone who is faced with the challenges of unique environments which contain numerous non-standard deployments, such as out of office hosts, appliances, and virtualizations of systems.  Section 4 is an excellent summary of Enterprise Patch Management technologies, the approach for implementing this technology in the enterprise, and guidance for ongoing operations.

One comment that is constant throughout is testing.  It is quite clear that the authors intended to highlight the need for testing in all aspects of enterprise patch management.

tony d0t carothers --gmail


150 Posts
ISC Handler
Aug 27th 2013
TL;DR Read Appendix B - 1 page gives you everything you need to consider!

Sign Up for Free or Log In to start participating in the conversation!