Topic: Web Server Patch Management
A Patch Plan is a plan for implementing OS or other system updates in an orderly manner for minimal disruption to your organization while providing maximum security. OS’s, web servers, and other software regularly require security updates as well as functional improvements. Failure to implement patches as they are released can result in security holes, particularly dangerous because hackers watch the patch lists too, and will sometimes launch a hack aimed at those who just never got around to patching their systems.
Come up with a regular Patch Plan for an organization, similar to what you would present to your bosses to get approval (and resources!) for the plan. The plan will include the steps you will take, plus a diagram of the network to help your bosses understand the plan.
1. Come up with a reasonable scenario for a medium-sized business that provides a web app or service.
2. Write up the Patch Plan in a paper 3 pages long. Your plan should include the following:
• Describe the network structure and all people who would be affected by patch downtime, both inside and outside the organization (departments within your org, your clients, their customers, etc.)
• List software components that need to be updated with patches regularly (OS, network control software, web server, etc.)
• DIAGRAM: Include a diagram of the network and people, with areas labeled (Ex: A, B, C, etc.) and with a key below it (A: Server 1, B: Customers, etc.). You can use any method you like for creating this diagram. I am not fussy about the symbols you use, but this is a good opportunity to practice using industry standard symbols for things like servers and files, which you can research online. Here are some options for the drawing method:
o draw.io (Links to an external site.) is free online drawing software. Create a new blank diagram with the Basic or other template. It’s pretty easy to use. draw.io saves in XML format, so to save the diagram in picture format, you will need to export it to a PNG for insertion in your Word doc.
o If you can draw neatly, you can draw the diagram on a piece of paper, take a photo, and include it in the paper.
• Describe or list the concerns about the timing of patches. For example, list any statistics about when users are more/less likely to need specific parts of the system for critical work.
• Include any concerns about parts of the system that might need special attention, such as a server running an old OS.
• List the steps for your regular Patch Plan, which would be implemented at regular intervals. Specify the following:
o Frequency (Ex: Every other Tuesday at 2am CT)
o Who will check for patch availability, and where
o Who/when of client announcements about downtime
o Sequence of patches on various systems
o Who will start and babysit the patches while running, and what additional support mechanisms will be available to both your staff and the public
• In the case of a patch that must happen right away (outside the normal frequency interval), describe how this would impact the steps above.
Include any references you use to support your plan, such as publications from OS vendors stating their patch frequency.