But with this diversity comes a unique set of challenges for IT administrators who must deploy security patches for an increasing array of boxes and the critical applications that run on them.

"We have users that may not ever see the inside of the office for days, weeks, months at a time, and we can't really rely on them for patching" says James Mascaro, technical services and support manager for Seattle-based aQuantive's East and Central regions.

The answer, experts say, is a centralized approach to managing patching across platforms and applications. Many administrators appear relatively comfortable patching Windows thanks to helpful resources such as scheduled monthly security updates and tools like Windows Server Update Services. But when it comes to the plethora of other platforms, applications and even security software, many professionals are left applying manual updates — or worse, none at all.

"The networks are becoming more heterogeneous," says Steve Munford, CEO of Burlington, Mass.-based Sophos. "People are concerned about vulnerabilities on Microsoft and non-Microsoft platforms, and people do not want different tools to do different things on different platforms. They prefer to have one tool to assess vulnerabilities."

Just think of the latest news that might make some administrators lose sleep: Security researchers already are predicting that a cross-site scripting flaw in Adobe will be the worst vulnerability in 2007. Apple is releasing security updates with increasing regularity. Experts expect Red Hat to soon do the same. Meanwhile, according to a year-end survey from PatchLink, 51 percent of 235 respondents said they have seen a rise in non-Microsoft vulnerabilities, while two-thirds predict a jump in zero-day bugs this year.

Organizations need to get a handle on patching across their systems, and they need to do it now.

"Vulnerabilities don't know any bounds," says Chris Andrew, vice president of security technologies at Scottsdale, Ariz.-based PatchLink. "They can exist in any platform or software. [An exploit] certainly could cause a root level compromise. Once you have something bad inside your systems, there's clearly a chance it will compromise your other systems running inside your network."

Aside from offering an automated mechanism to deliver fixes that saves both time and money for the organization, a single patch management console allows administrators to track which patches have been applied and which are still missing. "Everything's all contained within the single console," says Mascaro, whose company uses a solution from South Jordan, Utah-based LANDesk. "The information there is invaluable."

Vendors catering to Linux  
Patch and vulnerability management are now critical parts of any enterprise's security posture. The National Institute of Standards and Technology released a best practices document recommending that "organizations have a systematic, accountable and documented process for managing exposure to vulnerabilities through the timely deployment of patches."

Over the past year, security providers who specialize in this area have responded by offering support for heterogeneous environments. For example, Altiris, in December, announced new Linux patch management capabilities designed to reduce the complexity of manual patch management.

Michael Jang, author of Linux Patch Management, says a single console allows administrators to ensure all systems are updated in a timely manner and that patches are not disrupting certain configurations.

"It means you can easily spot where things are not up to date and know where to focus your resources," he says. "You have more visibility on the update status of all your systems, whether they are on a version of Linux, Windows XP or Windows Vista."

Experts say more organizations are deploying Linux because of its open-source nature and lower cost of ownership and because applications are increasingly becoming less dependent on which operating system they run. But in what still is a largely Windows-centric world, managing deployments such as Linux servers could prove tedious without properly skilled personnel, says Jason Chan, technical manager of Security Advisory Services at Symantec, Cupertino, Calif.

A certified staff   
That is why organizations must realize that even if they deploy a patch management solution, they are nothing without a certified staff.

"There's certainly room for new tools and technology for the administrative burden, but what you always have to keep in mind are the people and expertise you have to effectively manage and design into this infrastructure," Chan says. "Companies are straining to find the right levels. There are always bigger IT shops that are going to drive specialization. You get down to that layer of medium size enterprises, and it's often just not possible to have specialized functions."

 

VIRTUAL MACHINES:
Need attention, too

A common tendency among enterprises is to overlook the maintenance of patches on virtual machines.

According to experts at Palo Alto, Calif.-based VMware, virtualization disconnects physical hardware from the operating system to allow organizations to better utilize IT resources. The concept permits multiple heterogeneous operating systems to run in isolation on the same server, each containing its own set of virtual hardware.

Benefits include allowing multiple applications and operations systems to be supported on the same physical machine, according to VMware. And because the virtual machines run compartmentalized from each other, a crash by one will not affect any others.

The approach makes sense for many organizations because oftentimes servers go largely underutilized. But where the problem arises is when organizations fail to manage security, says Steve Morton, vice president of product management and marketing at Altiris, based in Lindon, Utah.

"You might have five virtual machines that must be patched," he says. "Centralized management helps make that easier."

Organizations must remember that virtual machines are still open to attack, says Chris Andrew, vice president of security technologies at PatchLink. "When I say, ‘Patch everything,' even the ones you don't think you have are still important to be patched," he says. "Anything with an IP address could be exploited."
— Dan Kaplan