cancel
Showing results for 
Search instead for 
Did you mean: 

It's Patch Tuesday! Uh...what does that mean?

BScott
Community Manager Community Manager
Community Manager

Okay, I kid. I know what Patch Tuesday is. What I really wanted to do is talk a bit about what it means, though. Coming from a large enterprise, it has different meaning there than it does for small and medium enterprises. How frequently do you actually patch when you're a 1-2 person shop? 

And let's look at CVSS... last Friday we talked about a vulnerability with a CVSS of 9.8. Ouch! Do you take that score at face value, or are you looking at whether it's actually relevant to you and maybe doing a quick assessment of your own?

Let's say there are TWO different CVEs out there (feel free to make up a couple of numbers, @rlyons 😆) with a CVSS of 9.6. But one of them affects your public-facing web server and one affects print drivers that can only be accessed when you're on network. A quick risk assessment tells you the public-facing one is the bigger risk, right?

How often are you doing this with vulnerabilities—do you have a strategy or is there a panic each and every time a new high profile CVE comes out?

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

4 REPLIES 4

rlyons
Rising Star I

For CVE:22222.22-698ED222, I just let it catch up on my normal patch routine.

For everything else, since it's just me, unless it is a major zero day or similar; I patch about two weeks after patch Tuesday. (i.e., beginning of the month) This gives me a chance to actually test and hear about any issues via the grapevine such as all the printing woes we had a couple months ago. I can't catch everything as the only person here.

BScott
Community Manager Community Manager
Community Manager

Patch Tuesday as a concept is interesting. It raises awareness, which is a good thing. I know yesterday wasn't really patch Tuesday, but I'm still pretty fascinated by it. I have more thoughts around security and the like, all prompted by a cybersecurity discussion I went to earlier in the month. You'll see more posts on this as we go along (coming soon).

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

krichard
Novitiate III

I think you nailed it on the head. Depending on the public exposure is how quickly we work to patch the issue. We subscribe to https://www.cisa.gov/ notifications to catch the latest ones. We found that if we waited to hear from our vendors, that we were sometimes days behind in thinking through our attack surface.

micjagger09
Novitiate I

How do you even apply a particular patch to a Windows machine via Jumpcloud patch management? It's an all or nothing deal and there's really no granularity when it comes to deploying only certain patches in JC patch management.