There's nothing like a powerful virus to make a Windows administrator wish he had a patch management strategy.
The notorious Code Red and Nimda viruses knocked out 1,500 Windows workstations, laptops and servers in WorldCom Inc.'s call center support division for 24 hours in the fall of 2001. The number of stricken machines may have been a small percentage of the division's 30,000 machines, but Nimda shook the IT department and executive ranks into action, said James Baird, a senior systems security analyst for Ashburn, Va.-based WorldCom.
"We had 40 IT folks working 24 hours to get our systems patched, machine by machine," Baird said. "They were all expected on different jobs that were put on hold."
Every admin likely has heard a story similar to Baird's -- of trouble striking when there's no patch management strategy in sight -- but admins don't have to wait for disaster before they shore up their Windows networks. Admins must help managers weigh the risks of not patching Windows networks against the time and expense it takes to create a patch management strategy.
"You're quantifying the cost of doing something about the problem versus not doing something," said Jeff Kaplan, managing director of ThinkStrategies, a research firm in Wellesley, Mass. A patch management strategy comes with direct costs, such as administrator salaries and software, he said. Going without a strategy results in indirect costs, such as system shutdowns or poor network performance, which erode employee productivity, partnerships, sales and reputations.
Here are some steps admins can take to persuade managers that, when it comes to patch management, there's no time to waste:
Ask managers what value they place on company data, intellectual property, trade secrets and other corporate information on the Windows network in order to help determine the company's level of risk tolerance, said Pete Lindstrom, research director at Spire Security LLC, in Malvern, Pa. If patch management is deemed a low priority, admins must make the risks clear to managers.
Write a report describing how the IT department responded to a particular virus, Lindstrom said. Include the number of hours admins spent reviving the network, the duration of user downtime, any business transactions affected and any other tech responsibilities that were disrupted or shoved aside. To formulate hard data, multiply the number of hours spent fixing the network by a typical hourly consulting fee.
Track time spent reacting to issues related to Windows patches and time spent proactively managing the network, ThinkStrategies' Kaplan said. "If a major proportion of an administrator's time is spent on reactive maintenance that could've been avoided, it's obviously not a good use of time," he said.
Prepare a list of current, applicable network vulnerabilities, said WorldCom's Baird, who is based in Atlanta and is an adjunct instructor with the Georgia Bureau of Investigation, an organization that educates the public about Internet security.
Several organizations maintain Web sites that list the latest virus threats, including McAfee Security, Trend Micro Inc., Symantec Corp., Internet Security Systems Inc., TruSecure Corp., and VulnWatch, a nonprofit security vulnerability mailing list.
A reference list of security vulnerabilities, Common Vulnerabilities and Exposures, is hosted by the Mitre Corp., a nonprofit that provides IT support to the government.
FOR MORE INFORMATION: