Here are some items an LEA may want to consider in a patch management plan

Take Inventory of LEA Systems

1. • There are numerous systems that an LEA could use to scan networks and build an inventory of network-attached items.
     Here are just a few to consider

     • Spiceworks Inventory - (FREE) - Inventory online helps to manage IT, basic and Advanced network inventory management, track hardware, and shows who has access to it.

     • PDQ Inventory - ($) - PDQ Inventory is a systems management tool that scans Windows computers to collect hardware, software, and Windows configuration data.

     • Wazuh - (FREE) - an open-source unified XDR and SIEM platform.

     • LANSweeper - ($$) - Increase Visibility. Eliminate the blind spots from your environment and discover assets you didn't even know about.

Know which systems the LEA is responsible for patching

• Once LEA personnel have identified what assets are attached to the network, then the LEA needs to determine if the LEA or a 3rd party is responsible for keeping the device patched and updated.

Determine the Risk and Vulnerability of each System

1. • Sample IT Risk Ranking Assessment (Google Spreadsheet)

Create a Patch Management Policy

1. • Sample Patch Management Policy (Google Doc)

Scan for vulnerabilities

1. • NESSUS (https://www.tenable.com/products/nessus)

     • Built for security practitioners, by security professionals, Nessus products by Tenable are the de-facto industry standard for vulnerability assessment. Nessus performs point-in-time assessments to help security professionals quickly and easily identify and fix vulnerabilities, including software flaws, missing patches, malware, and misconfigurations - across a variety of operating systems, devices, and applications.

   • OpenVAS (http://www.openvas.org)

     • OpenVAS stands for Open Vulnerability Assessment Scanner. It is a full-featured open-source vulnerability scanner with extensive scan coverage.

   • OpenSCAP (https://www.open-scap.org)

     • OpenSCAP has multiple components that focus on security tools, policy enforcement, and compliance with standards

   • Nmap (https://www.nmap.org)

     • Nmap is an open-source network scanning tool for port scanning, service fingerprinting, and identifying operation system versions. While it is popularly known as a network mapping and port scanning tool, it comes with the Nmap Scripting Engine (NSE) that can help in the detection of misconfiguration issues and security vulnerabilities.

   • Metasploit (https://www.metasploit.com/)

     • Primarily known as an essential tool for penetration testers for delivering and executing payloads and exploits, Metasploit comes with inbuilt network scanning capabilities that may be useful for organizations.

Apply Patches Quickly / Automate where possible

1. • PDQ Deploy (https://www.pdq.com/pdq-deploy)

     • PDQ Deploy is a free patch management tool for Windows devices only that can also be upgraded with a paid subscription.

   • Itarian (https://www.itarian.com/patch-management.php)

     • Itarian is a Windows open-source patch management tool that can fulfill three major vulnerability management functions for your LEA. It can help your sysadmins manage patches and eradicate security flaws and fix bugs in the software you use daily.

   • ManageEngine’s Endpoint Central (https://www.manageengine.com/products/desktop-central)

     • ManageEngine’s Endpoint Central is a Windows patch management tool that also handles vulnerability management. It allows you to deploy updates on the fly, configure firewall & wireless devices, remote-wipe company data, and control USB policies. Desktop Central’s uniqueness is its ability to conduct pre-testing on patches and updates before deploying them in bulk. A very robust software update management system.