In the first two quarters of 2005 more than 3,780 software vulnerabilities were reported, leaving a wide range of system components and software open to exploits. With the popular operating systems often the key target of worm and virus writers, the majority of businesses are left open to attacks.
For example, the August print spooler flaw identified by Microsoft's monthly security update left businesses using the Windows server vulnerable to losing complete control of the infected system, as an exploit would then have free range to view, change or delete data; or create new accounts with full user rights. The emergence of the Zotob worm, which exploited the MS05-039 vulnerability in Windows 2000, five days after the August security update, sent the message that the time scale for applying patches has been dramatically reduced, as hackers have become quicker at churning out malicious codes and collaborating upon the development of multiple variants of an exploit.
So why aren't businesses catching on to patch and vulnerability management? The bottom line is that many IT teams do not have the resources or time to implement the relevant patches and assess that each one has been deployed across an entire network successfully.
Best Practices Approach
In order for businesses to get to grips with patching, it is essential that they must first assess the possible risk areas of the network. The IT team should know what the potential vulnerabilities are, where those vulnerabilities are, and how important it is, to the business, that they are fixed. This means an in depth study of all of a company's IT assets. When the company knows what systems it has and where these are situated within the network, it can then check the vulnerability status in each piece of firmware and software.
It is also important to establish which network systems are mission critical, which should be patched first and which need constant patch maintenance. As an example, some retailers may not apply patches in November and December because these are the busiest times of the year, and the risk of downtime caused by new software is unacceptable. Applying patches carries a risk and if the patch has not been tested effectively this could in turn cause a disruption to business services. Applying a patch that does not suit the environment could result in a critical server failure, or at a minimum, possible loss of critical data.
For most businesses, even those with security patch management solutions in place, patching everything straight away is not an option. New vendor patches have been known to induce instability in software and operating systems, so the maintenance should be bite-sized so that IT staff do not get overwhelmed with the task of deploying monthly updates. The IT team has to be able to cope with the work in progress, and have the capacity to address any issues, which arise during the patching process.
Therefore, companies will need to prioritize the deployment of patches across the network. The most direct approach is to deal first with the systems that are most prone to attack or hacking - such as ecommerce systems, email systems and critical business applications. Then move down the food chain to non-critical systems. It's important to factor in timing of maintenance too - for example, those systems used by office staff should ideally be patched out-of-hours.
The best practices-based approach employs an iterative test-then-deploy cycle that is executed against increasing large or critical sets of servers or desktops. A manual approach to deploying patches will be orders of magnitude more costly, and most likely fail to properly mitigate the risk of un-patched systems.
Staged deployments are essential, based on the user-defined groups versus other technologies that require an 'all or nothing' approach. This will allow businesses to implement testing and take full advantage of accelerated and automated deployments.
However, testing of each patch is absolutely vital. Automatically triggered security patches are not desirable or even recommended. Products that offer an 'all or nothing' approach are very risky and should be avoided. Even the best patches from the most reputable vendors have not been tested in every possible environment. The only time where automatic patch enforcement can be used is when an organization maintains a security baseline of known working patches.
Relying on any sort of tool that automates business decisions is risky. However, relying completely on manual testing and patching processes represents a much greater level of risk. Staged testing can mitigate the risks of automated patching. However there are almost no options to mitigate the risks associated with not patching. A best practices approach aligns with the use of automated tools. However, the owner of the systems is the one who ultimately makes the final decision on when and how patches are deployed and temporary isolation may be the only effective mitigation technique should a mission-critical system (e.g.: payroll server) not be able to accept the new patches to be deployed.
A patch management solution that centralizes and automates the task of distribution and application allows IT teams to make patching an integral part of their overall security management strategy. This alleviates the need for a management initiated panic reaction to address the latest vulnerabilities or piece of malware, which could lead to a time consuming and ineffective scramble for a solution.
Providing a unified view for managing all products in an integrated security console will enhance administrative productivity for IT teams, as well as lessening the overall complexity and costs associated with the task of patch remediation.
Dedicated patch and vulnerability management software and services can take away the burden of patch deployment and management - if the right solution has been chosen. Some patch and vulnerability management solution vendors will also test and authenticate patches before making them available, which helps reduce an IT workload even more.
Companies and organizations that invest in complex and expensive network systems could find these systems become rendered useless if something as simple as patching is not managed effectively. Hackers continue to use worms, viruses and spyware to exploit known vulnerabilities on unpatched systems, resulting in costly network downtime and considerable administrative resource and expense to repair.
Moreover, as the trend continues in enterprise networking for the convergence of voice, video and data onto a single network, the implications of downtime due to a compromised network become more far-reaching. Unpatched critical applications such as telephony are now vulnerable to malicious attack, with potentially disastrous consequences for an organization's data. This is in addition to having a negative affect on the productivity of staff.
Patching is, of course, only one element of an overall security program. However, it does make a pivotal contribution to reducing the myriad of vulnerabilities and their resulting exploits. It also helps to resolve issues arising from spyware and malware. By establishing the correct procedures and process for patch management, companies can ensure they are less likely to fall victim to network attacks.
The author is the managing director for PatchLink EMEA