# Patch management and updates

**What is patch management?**

Patch management is the disciplined handling of security updates. A patch is the correction a vendor issues to close a security flaw that has become known. Disciplined means that you know which systems you run, that you learn about new updates, and that you install them within an agreed deadline.

A security flaw frequently becomes public at the moment the vendor releases the patch. From then on attackers also know where the weakness sits, and automated scanners comb the internet for systems that have yet to receive the update. The interval between the release of an update and its installation in your business is therefore an open window. Keeping that interval short removes the basis for a large share of automated attacks.

Windows and Office usually update themselves. Attention belongs to the devices nobody thinks about during ordinary work: the firmware, meaning the control software built into the device itself, of the firewall and the router, the network storage device, the network printers, the CCTV cameras, the time recording system, the till, the control PCs attached to machines, the remote maintenance software, the plugins on the company website. Systems reachable from the internet are the most urgent, because they are continuously discovered and probed.

A category of its own is software at the end of its life, meaning programs and devices for which the vendor no longer issues security updates. A flaw that becomes known after that date stays open permanently. This affects old operating system versions, older network storage devices and telephone systems, as well as specialist software whose supplier has ceased trading. Such systems need a plan with a date and a budget. Where replacement is impossible in the short term, the device belongs in a separated network zone and away from the internet.

The first sensible step is an inventory: which devices, operating systems and programs run in the business, in which version, who is responsible for each, and how long the vendor will supply updates. On that basis you set a rule per category. Who checks for updates and how often, within what deadline are they installed, which systems are tested first in a maintenance window, and who records the outcome? Automatic updates are the simplest answer wherever a restart causes no loss of production.

The IT-Check records the version and update status of your systems on site and, in a light penetration test, meaning a deliberately restrained attempt from outside, looks for services running outdated versions. You receive the report with a remediation plan within 14 working days.

## Related terms
- [Vulnerability and vulnerability assessment](https://vetosec.at/en/it-security/schwachstelle/)
- [Vulnerability scan](https://vetosec.at/en/it-security/schwachstellenscan/)
- [IT asset inventory](https://vetosec.at/en/it-security/it-inventar/)
- [Zero-day vulnerability](https://vetosec.at/en/it-security/zero-day/)

## Source
https://vetosec.at/en/it-security/patch-management/ (vetosec, schutz)
