Microsoft receives most of the media attention when it comes to patching our computer systems. They earned the attention by repeatedly shipping software with large numbers of defects and vulnerabilities. That gave rise to "patch Tuesday", the second Tuesday of the month, when Microsoft releases yet another round of fixes.
To their credit, Microsoft has reduced the number of required patches and improved the overall quality of their software. This is sure to make the overall vulnerability of our computer systems worse - much worse.
For years, Microsoft was an easy target for mischievous intruders and thieves. As Microsoft improved its defenses, the attackers turned their attention to easier prey such as desktop applications, network devices, and server-based software. Simply installing a Microsoft software update once a month is no longer enough.
Qualys, a security software vendor, reports, "Data now show more than 60 percent of new critical vulnerabilities are in client applications such as web browser, backup software, media players, antivirus, Flash and in other tools."
The lag between the time a security defect is published and the appearance of a patch is a window of vulnerability. Any company using the defective software is exposed and subject to an indefensible attack within that window. Unfortunately, using automated tools, hackers can exploit such defects in a matter of hours.
Managing the patching process can be daunting. Many companies purchase dozens of software packages and intelligent devices from a variety of vendors. They may deploy these products to thousands of workers. Keeping track of it all is a challenge in itself.
The patching process Microsoft follows works like this. Software patches are released periodically, usually monthly. A program running on your PC checks for available patches daily. When a patch is found that pertains to your systems, it is automatically downloaded and installed.
The process works well though every vendor uses a different approach and release cycle. Patching dozens of software applications across thousands of users can quickly become unmanageable.
How do you manage this increasingly complex situation? That's what automated patch management software is designed to do. Here's what the patch management process might look like at a typical company:
A software vendor publishes a new software bulletin including a patch. An IT technician responsible for monitoring such bulletins initiates the patching process.
The IT department assesses the risk to the company and assigns an internal severity rating - usually within 48 hours. The reported defect or vulnerability may expose the company to serious risk or it may be inconsequential.
IT tests the patch on standard, corporate systems and applications - usually within 48 hours for patches rated urgent or critical. Occasionally, software patches create problems that can disable some applications. For this reason, it is best to test patches prior to deployment.
IT configures an automated patch management tool to distribute the patch to the user community.
The patch management tool deploys the patch at the appropriate time based on operational needs eliminating the cost of technicians walking around to every machine patching manually.
The patch management tool verifies that the patch has been applied and updates its database for tracking purposes.
The process is simple enough but implementation can be complex. Several steps have to be taken before committing to an effective patch management process.
Begin by publishing a security policy. It is important for everyone to understand why patches are needed and what their responsibilities are. Patching can only be successful if the user community cooperates with the process.
Take a technology assets inventory. You will need to know what you have, where it is and who is using it. This is a critical step because not all patch tools can handle every type of system or application.
Establish the criticality of your systems. Mission-critical systems and those connected to external networks should be patched ahead of less important or isolated ones.
Define roles and responsibilities for implementing the patch management process. Establish clear accountability for evaluating patches and assigning a severity rating. A window of vulnerability leaves your organization exposed to possible information loss and corruption. Keep that window small.
Laying the above groundwork positions you to select an optimal patch management tool.
Patch tools may be agent-based or agent-less. An agent is a small piece of software that resides on every system. The agent connects to the patch tool to determine what patches are available. Agent-less solutions use network scanning to identify target systems and remotely install patches.
Ongoing monitoring capabilities are essential. Patches may have to be re-applied when users recover from crashes or other system problems. An inventory of patches available on demand minimizes recovery time.
There are many vendors of patch management software. Capabilities and costs vary widely as this is a rapidly evolving market space. All the major software vendors are players including BMC, Computer Associates, Hewlett-Packard, Microsoft, Novell, Symantec and Tivoli.
Often, the major vendors provide full lifecycle management that may be overkill for your situation. Many smaller companies have effective patch management solutions that are more narrowly focused; among them are BigFix, Ecora, PatchLink, Quest, St. Bernard and Shavlik.
Keeping systems patched is neither strategic nor exciting but failure to do so could be catastrophic.
Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO. He is an expert in IT Business Continuity Planning, Network Security Policies, and Freelance Writing focused on white papers, case studies, and handbooks. DAMICON services firms worldwide.
This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in November 2006.
To learn more about how DAMICON can help your business, please take a look at our service programs.
This column appears monthly in the IndUS Business Journal.