News Stay informed about the latest enterprise technology news and product updates.

Four ways to sell a patch management strategy

If Code Red and Nimda weren't enough to help you persuade the boss to get a patch management strategy going, then these four "sales" tactics may help you make your case.

There's nothing like a powerful virus to make a Windows administrator wish he had a patch management strategy.

The notorious Code Red and Nimda viruses knocked out 1,500 Windows workstations, laptops and servers in WorldCom Inc.'s call center support division for 24 hours in the fall of 2001. The number of stricken machines may have been a small percentage of the division's 30,000 machines, but Nimda shook the IT department and executive ranks into action, said James Baird, a senior systems security analyst for Ashburn, Va.-based WorldCom.

Three patches that could have nailed Nimda
Nimda caught WorldCom admins and executives by surprise, but it could've been avoided. Microsoft made patches that prevented Nimda available months prior to the attack. Nimda, which hit admins everywhere in September 2001, exploited three vulnerabilities that Microsoft patches had already addressed, James Baird, a WorldCom Inc. senior systems security analyst recalled:

  • The patch for "IIS/PWS Escaped Characters Decoding Command Execution Vulnerability" was released on May 15, 2001, four months before Nimda struck.

  • The patch "IE MIME Header Attachment Execution Vulnerability" was released on March 29, 2001, six months before Nimda.

  • The patch "IIS and PWS Extended Unicode Directory Traversal Vulnerability" was released Oct. 17, 2000, 11 months prior to the attack.

"We had 40 IT folks working 24 hours to get our systems patched, machine by machine," Baird said. "They were all expected on different jobs that were put on hold."

Every admin likely has heard a story similar to Baird's -- of trouble striking when there's no patch management strategy in sight -- but admins don't have to wait for disaster before they shore up their Windows networks. Admins must help managers weigh the risks of not patching Windows networks against the time and expense it takes to create a patch management strategy.

"You're quantifying the cost of doing something about the problem versus not doing something," said Jeff Kaplan, managing director of ThinkStrategies, a research firm in Wellesley, Mass. A patch management strategy comes with direct costs, such as administrator salaries and software, he said. Going without a strategy results in indirect costs, such as system shutdowns or poor network performance, which erode employee productivity, partnerships, sales and reputations.

Here are some steps admins can take to persuade managers that, when it comes to patch management, there's no time to waste:

Ask managers what value they place on company data, intellectual property, trade secrets and other corporate information on the Windows network in order to help determine the company's level of risk tolerance, said Pete Lindstrom, research director at Spire Security LLC, in Malvern, Pa. If patch management is deemed a low priority, admins must make the risks clear to managers.

Write a report describing how the IT department responded to a particular virus, Lindstrom said. Include the number of hours admins spent reviving the network, the duration of user downtime, any business transactions affected and any other tech responsibilities that were disrupted or shoved aside. To formulate hard data, multiply the number of hours spent fixing the network by a typical hourly consulting fee.

Track time spent reacting to issues related to Windows patches and time spent proactively managing the network, ThinkStrategies' Kaplan said. "If a major proportion of an administrator's time is spent on reactive maintenance that could've been avoided, it's obviously not a good use of time," he said.

Prepare a list of current, applicable network vulnerabilities, said WorldCom's Baird, who is based in Atlanta and is an adjunct instructor with the Georgia Bureau of Investigation, an organization that educates the public about Internet security.

Several organizations maintain Web sites that list the latest virus threats, including McAfee Security, Trend Micro Inc., Symantec Corp., Internet Security Systems Inc., TruSecure Corp., and VulnWatch, a nonprofit security vulnerability mailing list.

A reference list of security vulnerabilities, Common Vulnerabilities and Exposures, is hosted by the Mitre Corp., a nonprofit that provides IT support to the government.


Pick your patch management product -- admins enjoy choices

How important is patch management?

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.