Spending on software patches is a tough sell

By Jennifer Lawinski, News Writer 15 Mar 2005 | SearchWindowsSecurity.com

Digg This!     StumbleUpon     Del.icio.us

MILLIS, Mass. -- When Paris Hilton's T-Mobile account was hacked recently, it was because a patch that had been available for months hadn't been deployed on a Web server, said Peter H. Gregory, chief security strategist with VantagePoint Security LLC, at SecureWorld

Do we test the patch or do we just push it out? There is not ample time to do both. Peter H. Gregory, chief security strategist, VantagePoint Security

Expo on Tuesday.

"The technology itself does not solve the problem," Gregory said. "The hackers have better software development processes than we do." They move more quickly, he said, leaving enterprises in a bind on how to formulate an effective and efficient patch management strategy.

The cost of applying patches across an enterprise can make the effort seem like a waste of resources. "They don't produce a result like building a new server produces results," Gregory said, so it can be hard to convince management to spend on preventative measures like patching. "Most of the software you're running on users' desktops costs less per year than patches," he said.

However, patches keep coming with each new version of a vendor's software. Last month, Microsoft released more than 60 security fixes, many that the software company considered critical.

How then can your enterprise ensure that it's maintaining its systems' integrity while staying on its toes to keep malicious code at bay?

Designing a patch strategy

Components of a patch management strategy include risk analysis, record keeping, testing procedures, change control processes, the use of scanning and deployment tools and management reporting.

"For some, having a patch management

For more information Find more resources on the topic of patch management   Learning Center: Patch management

strategy means using a patch deployment tool," Gregory said. "This is only one piece of the big picture … centering your strategy around the focus of looking at vulnerabilities and patches and getting the patches out to the machines isn't enough anymore."

Gregory recommends examining your system and deciding if it is adequate for your IT shop's needs. The goal is to be proactive in preventing an attack, he said.

Instead of focusing solely on patches, enterprises also need to take a comprehensive look at security policies, security architecture and standards, incident response, perimeter defenses, "anti-everything-bad" and intrusion prevention strategies. Creating guidelines and promoting awareness can help smooth the patching process. Firewalls and intrusion prevention are "vital if you're going to be keeping your business safe," Gregory said.

Testing is also an important piece of the patch management puzzle.

"Do we test the patch or do we just push it out?" Gregory asked. "There is not ample time to do both." With exploits of some vulnerabilities being posted within ever-shrinking windows, testing can seem a luxury. "Quality requires more time," he said.

Tags: Network intrusion detection and prevention and malware removal,  Patches, alerts and critical updates,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows desktop operating systems security management Top 5 Windows desktop security tips How to use Group Policy to control wireless access Internet Explorer security settings and controls Password cracking and hardening Reduce your Web server's attack surface Plan for a security breach, step by step Managing information risks: Do you have IT governance? Cracking passwords: Eight tips in eight minutes Top Web security tips of 2006 Information security predictions for 2007 Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary