Advertisement
Promo

Security management Toolkit

Security takes more than patch management

Diana Kelley CNET News

Published: 17 Nov 2003 12:10 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Patch management is a little like flossing your teeth. Everyone knows they're supposed to do it, but most of us still don't.

Some pundits say the simple answer for patching lies in proactivity. Get the patch applied before an incident occurs, and keep the problem from occurring rather than fixing it after the fact. That's a simple truth, but in practice, it's a lot harder to pull off than it sounds. It also contradicts the way security is usually addressed.

Unfortunately, despite all the hype around being proactive and prepared, especially after 11 September, 2001, the reality remains that a majority of security fixes are done retroactively, after an incident has occurred.

One problem is that being proactive often gets confused with being fully automated. This is risky, because they're two very different concepts.

While there is much to recommend with regards to automating portions of the patch process, there are also compelling reasons to support manual intervention as a component of the work flow. There's no doubt that administrators are drowning in a flood of daily threat warnings and patch updates and have valid reasons for not applying every patch immediately.

Too many have been burned by server farms going dark with a collective "blue screen of death" after applying a buggy service pack and are, quite reasonably, skittish about automatically slapping the latest patches on their production servers. Complicating matters are the vendors themselves. Many release vulnerability warnings concurrently with the patch fixes, escalating the urgency of the patch cycle. Yet the patches themselves are often not fully tested and can result in more problems -- such as patches that delete critical third-party agents -- rather than fewer.

The result is that the industry is between a rock and a hard place on the patch issue. Case in point: Six months before SQL Slammer hit companies such as Bank of America and Washington Mutual and brought portions of their automatic teller machine networks to their knees, Microsoft had released a vulnerability warning and a patch. Why hadn't those organisations applied the patch? Were their administrators asleep at the wheel? Far from it. What they need is focused intelligence about which patches to apply -- and when.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
112 out of 195 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:






Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment

Featured Talkback

In association with Network Liberation Movement
It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters