MILLIS, Mass. -- When Paris Hilton's T-Mobile account was hacked recently, it was because a patch that had been available for months hadn't been deployed on a Web server, said Peter H. Gregory, chief security strategist with VantagePoint Security LLC, at SecureWorld
"The technology itself does not solve the problem," Gregory said. "The hackers have better software development processes than we do." They move more quickly, he said, leaving enterprises in a bind on how to formulate an effective and efficient patch management strategy.
The cost of applying patches across an enterprise can make the effort seem like a waste of resources. "They don't produce a result like building a new server produces results," Gregory said, so it can be hard to convince management to spend on preventative measures like patching. "Most of the software you're running on users' desktops costs less per year than patches," he said.
However, patches keep coming with each new version of a vendor's software. Last month, Microsoft released more than 60 security fixes, many that the software company considered critical.
How then can your enterprise ensure that it's maintaining its systems' integrity while staying on its toes to keep malicious code at bay?
Designing a patch strategy
Components of a patch management strategy include risk analysis, record keeping, testing procedures, change control processes, the use of scanning and deployment tools and management reporting.
"For some, having a patch management
Gregory recommends examining your system and deciding if it is adequate for your IT shop's needs. The goal is to be proactive in preventing an attack, he said.
Instead of focusing solely on patches, enterprises also need to take a comprehensive look at security policies, security architecture and standards, incident response, perimeter defenses, "anti-everything-bad" and intrusion prevention strategies. Creating guidelines and promoting awareness can help smooth the patching process. Firewalls and intrusion prevention are "vital if you're going to be keeping your business safe," Gregory said.
Testing is also an important piece of the patch management puzzle.
"Do we test the patch or do we just push it out?" Gregory asked. "There is not ample time to do both." With exploits of some vulnerabilities being posted within ever-shrinking windows, testing can seem a luxury. "Quality requires more time," he said.