Not so long ago, security updates were done infrequently on the desktops and laptops at SYSCO Food Services of Arizona. Network administrator Denver Roberts would usually apply security updates only when a PC needed attention for other reasons. Even then, he said, he "applied only the minimum of any required patch, depending on the circumstance."
This unfocused approach to security preparedness was largely the product of too many desktops and too little time. Roberts is charged with maintaining all hardware attached to the network, including 110 desktops, 10 servers and 200 laptops. That includes making sure that devices are getting along with SYSCO's primary applications: NetManage's Rumba Office, Business Objects' business intelligence applications, and Windows 2000 Office.
The Melissa virus changed all that. Although his network was spared a direct hit, Roberts saw it as a sign that he had to create a more organized and effective security update process. In this interview, he discussed his action plan.
SWM: What problems were you having with security updates? How did those problems impact your and your company's productivity?
Roberts: Generally, somebody would phone me with a desktop [repair] issue that required me to pay a visit. During that visit, I would update any programs that required updating. This left many PCs in various states of not being current.
Productivity would generally be affected in two ways. For me, I was tied up at somebody's PC updating versions of software or drivers, as well as trying to resolve a problem. If the end user didn't have an open PC nearby, they were just waiting for me to finish.
SWM: How did the Melissa virus affect SYSCO?
Roberts: SYSCO as a whole did not take a big hit with Melissa. Each of our operating companies operate independently, and a few were using Exchange at that time. I recollect that there were a few infections.
In the Arizona offices, we were using TAO for our e-mail, and Internet access was not available to our users at the desktop. (TAO, or The Ace Orb, is open-source middleware that allows other programs to work together smoothly.) The e-mail application and client executables were located on a local server, which is always kept current with antivirus software updates. The TAO e-mail server also had antivirus software, which scanned all incoming and outgoing e-mail for viruses. Since infections could only take place from e-mail file attachments or media brought in, the Arizona office did not suffer from Melissa.
SWM: Although your office escaped from Melissa, you decided to beef up security against future attacks. How did you go about finding a security solution?
Roberts: Ecora's Patch Manager accidentally fell into our laps. I had been talking to an associate prior to our company's conversion to Microsoft Active Directory. He recommended Ecora's main inventory application. During talks with Ecora, I learned about Patch Manager, which can scan each PC for its current level of patches. That fit my needs, since I had to identify that current status of each PC and get the appropriate patches prior to implementing Active Directory.
SWM: Could you describe the implementation of Patch Manager?
Roberts: It was as easy as running the setup program. Configuration was fairly easy. Ecora's rep walked me through doing a scan on the phone. It took us about 15 minutes to go over the finer points.
SWM: How do you use Patch Manager today?
Roberts: Patch Manager is still beta software but works great. I know within a short amount of time what patches are installed on each of my PCs. I can even choose to install an important patch immediately or schedule it for a later time. On laptop computers, I can even schedule an installation during a time after they have 'left the network' -- when the laptop is physically not on our network anymore. The patch will install at the scheduled time.
SWM: Does Patch Master completely solve the problem of deploying patches?
Roberts: I don't think any software package can completely solve the problem of deploying patches. It helps you keep remote users up-to-date by scheduling scans during times remote users are connected to your network. Then you can use the data from the scan to schedule the deployment of the patches.
SWM: What advice would you give to other IT pros who are facing the problem of patching many remote and mobile desktops?
Roberts: Keep your PC operating systems up-to-date...[and do] frequent updates to [your] antivirus software. Any computer that accesses the Internet directly should also have personal firewall software installed.
This was first published in January 2003