Software patching is a way of life today, and there is nothing in the near term to suggest that will change. But there is much that administrators can do to make the job less difficult and grueling, according to one security expert.
Fred Cohen, a principal analyst at Burton Group, a Midvale, Utah, consulting firm, offered patching tips and other expertise during a recent phone briefing with enterprise customers.
He said that customers should understand their own risk management strategy, which means that everyone must figure out under which circumstances patches need to be applied and how long it should take. Then the proper staff must be there to put the test systems in place. "The worst thing you can do is send out a patch and then have a bunch of systems that can't reboot," he said.
Cohen said that enterprise customers are in a state of constant patching because the software industry, until recently, has been concerned with getting products to market and expanding functional capabilities instead of testing its products.
Sloppy coding techniques of the past are inexcusable today. Now there are better techniques, higher coding standards and other protective measures that can help eliminate problems, he said.
There are more applications that patch Windows than any other software. A few from Microsoft include Software Update Services (SUS), Windows Update (a manual update system) and Systems Management Server; there are also numerous Windows-only patch management tools from third-party vendors and a few products that patch across multiple platforms.
Cohen said that Microsoft's Software Update Services, a free utility in Windows server, is limited because it only looks in the registry to determine the version of software in place, and sometimes attackers can modify the version registry.
The value of having a cross-platform, patch management system or a Windows-only patch management system versus a manual one is the money and time it can save, he said. Cohen noted the many security initiatives under way at Microsoft.
The company has said that by improving code quality, it will reduce vulnerabilities, but that hasn't been the case so far. Microsoft is driving to a single patch system for Windows, smaller patches and an expansion of the uses for SUS. But these improvements won't occur for at least six months.
Cohen said that many enterprises want to control where users get their patches because they don't want users going on the Internet and modifying their systems. It's possible that Trojan horses or other malicious software could be inadvertently downloaded when the user thinks he is installing a patch. "Just as a matter of control and assurance, enterprises have taken the strategy of wanting patches to run through the enterprise," he said.
Cohen made some recommendations for customers who run enterprise systems. He said that if system control software is in place that supports patch management on all platforms, companies should use it for patch management in the short term.
He said that if only patch management is desired, users should select the best possible patch management software available. Otherwise, they should choose the best system control application possible that also supports patch management.
As always, users should consider risk aggregation issues in the deployment strategy, he said. IT administrators need to weigh the aggregated risks of patch management and other system control software to decide how much diversity is necessary to mitigate aggregated risks, Cohen said.
FOR MORE INFORMATION: