With all the patch management software on the market, why do so many corporate network environments get hit and adversely affected with malicious security attacks?
The question has two basic answers:
1. Corporations that don't have patch management software are confident that the operating system vendor has done all it can to minimize the possibility of an attack.
2. Corporations have patch management software but are not proactive or are unsure of the effectiveness of the solution because they have never completed any drills or deployed noncritical patches.
I will address both of the answers above and discuss some best practices.
Let's look at why corporations don't have any type of patch management solution. Generally, OS development companies attempt to minimize attacks to the OS; however, there are individuals who make it their life's ambition to find and exploit vulnerabilities to OS or other enterprise software. For example, Microsoft's newer OS does have an update service to assist in securing workstations and servers. But in many corporate environments, it is unrealistic to believe users will patch their own systems. Many administrators don't want individual users to install updates or patches to corporate assets; they want patches to be thoroughly tested before installation.
It is generally unrealistic to believe or, for that matter, place the burden of distributing patches to corporate assets on the OS vendor. However, OS vendors are responsible to produce and make available patches and hotfixes in a timely matter. In addition, corporate administrators need to inform end users on possible exploits and patches to minimize the effect.
This is a no-win situation and will lead to loss of productivity, resulting in reduced revenue.
Now let's look at what happens when corporations deploy a solution then use it effectively, or they implement or purchase a solution that does not meet their current needs. The solution will be deployed but never tested or used to deploy noncritical patches to test the deployment of the patches or the steps to test the deployment.
I believe patch management is no different than disaster recovery. Many organizations have a disaster recovery plan, but never put the plan to the test until a disaster hits. Then they find out the plan does not work. The same thing happens for patch management -- a solution will be in place but never exercised until it is too late. Once the solution is in place, corporations should deploy less critical patches to clients to test the solution and their methodology.
So here are some of my best practices:
- Implement a patch management that integrates and complements your current management solution.
- View vendors' roadmap to ensure they can support deployment of patches for other products than
- Choose a standalone solution if you are only looking at patch management.
- Understand the exact mechanism from downloading the patch to distributing a patch to clients.
- Distribute patches based on collection (not entire site at one time).
- Ensure that the solution can QChain patches if there is more then one patch sent at a time to
- Test your patch management solution before having to deploy a critical patch (do the drill).
- Implement a change control methodology to ensure patches can be escalated for deployment to
- Test patches in a lab before deploying them to clients.
- Document steps and procedures of your patch management solution for the administration, testing
- Determine if the solution has robust reporting capabilities of the deployment and execution (success and failures) of patches.
Following these best practices will ensure when the next worm or vulnerability is exploited you will be prepared.
Travis Davis is a consultant in Professional Services at Altiris, based in Lindon, UT. He is responsible for designing, deploying and providing assistance to Altiris' enterprise customers. He has more than six years of experience in technology deployment, integration and management.
This article first appeared in myITforum, the premier online destination for IT professionals
responsible for managing their corporations' Microsoft Windows systems. The centerpiece of
myITforum.com is a collection of member forums where IT professionals actively exchange technical
tips, share their expertise, and download utilities that help them better manage their Windows
environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget
network of Web sites. To register for the site and sign up for the myITforum daily newsletter,
click here: http://myitforum.techtarget.com/registration/form.asp?user=0.
This was first published in July 2004