No system is immune to viruses. Unfortunately, discovering these security weaknesses is usually left up to virus and worm writers and hackers. If you aren't the first one attacked, there are usually patches available to inoculate your system. Writer Mandy Andress discusses a procedure for keeping your patches installed and up-to-date on InformIT. Here is a bit about that procedure and a list of sites you can visit to find out about new patches.
Identifying vulnerabilities, finding the correct software patches, downloading the code, installing the security update in the right sequence (assuming that you've selected the correct fix for your application version) and validating effective installation is quite a process. Plus, keep in mind that all of this needs to be done before hackers send notice to your firm in their own special ways.
You need to create a system to manage security updates and patches for your software, including operating systems, business applications, Internet access and even security applications. Although creating a security update system is daunting, after you've got one, your company should be able to keep on top of the security maintenance challenge.
Surprisingly, just a few steps can help you update and protect your systems against common exploits. Because small businesses don't have the myriad software and network configurations that large corporations do, you should be able to keep track of security updates easily if you're systematic and take these precautions:
- Identify and list your software. For each, note the:
- Type (such as operating, application, security)
- Installation date
- Name of the installer
- Every time you make a change on a software product, note the:
- Name of the update, patch or fix installed
- Functional description (what the code updates, adds or modifies)
- Source of the code (where the code was obtained)
- Date the code was downloaded
- Date the code was installed
- Name of the installer
- Retain your security update downloads in their own directory on a file server or other storage location.
- Create a "readme" file that documents each download's:
- Date of storage
Don't delude yourself. Even if you have no resources for a dedicated security staff person, a security updating and patch documentation system is mandatory. If you outsource security or software updates, you should expect the vendor to send you its patch logs at your request. If the firm resists your request or you experience slow or no delivery, you might want to reconsider your choice of outsourcing companies.
Mandy also provides a nice list of sites to visit to find out about security patches.
The SANS Institute proposes the 10 most critical Internet security threats at http://www.sans.org/topten.htm. CERT also supplies a host of information to improve your security, as does ZDNet's Security IT Resource Center.
Here are some other helpful sites listed by system:
Linux: Red Hat: http://www.redhat.com/apps/support/updates.html Caldera: http://support.calderasystems.com/caldera?faq&15-10 Linux-Mandrake: http://www.linux-mandrake.com/en/security/ SuSE Linux: http://www.suse.com/us/support/security/index.html Debian: http://www.debian.org/security/
Read about Mandy's advice on signing up for mailing lists over at InformIT. Registration is required, but it's free.
This was first published in October 2001