Managed Services Directory

Posts Tagged ‘patches’

Any job definition for a network administrator or IT organization includes keeping computer systems software current as a critical part of the job. Software vendors release updates, or “patches,” on variable schedules, fixing issues from simple cosmetic changes to critical security vulnerabilies that might be fatal to a company’s network – and, therefore, fatal to their ability to operate.

But for a small business decisionmaker with a long list of urgent priorities and limited IT resources, it’s hard to prioritize a potentially time-intensive, proactive activity that often fixes hard-to-understand problems and shows few immediate benefits. Why should a small business commit their limited time or IT budget to patching obscure problems?

What about the small business with a Macintosh presence? The once-specialized systems are finding a home in many small businesses that were formerly Windows-only. But updating the MacOS and Mac applications can seem to be an even lower priority than for Windows – when did you last hear about an exploit for the Macintosh?

Even for a business that knows they should be regularly patching all their systems, how do they get started? Then, how do they prove that they’re up-to-date, protected and reaping the benefits of their investment? In many markets, managers are asked to show partners and customers that proprietary data is protected fromm routine exploits. A responsible decisionmaker can’t wait for a widespread malware exploit to hit the Internet before finding out if they’re protected.

Keeping up with ever-growing numbers of applications and vendors is a constant challenge even for enterprise IT organizations. Many small and medium businesses, lacking enterprise-level IT resources, have a haphazard approach (if any approach at all!) to making sure their critical systems are up to date.

In the same way a business has a process for finding, hiring, training and managing their employees, a business that takes a serious approach to IT challenges will have a defined process for discovering, validating, deploying and reporting system updates and patches. Having such a defined process is how a company can move from patch confusion to Patch Management. This paper will help businesses answer the questions above and understand why patch management is a true concern and not just IT doublespeak.

Why should a small business commit limited resources to Patch Management?

Justifying any expenditure of time or money is critical to every small business decisionmaker. The biggest challenge when trying to justify proactive IT activities is that when properly executed, a proactive strategy won’t lead to flashy, easily quantifiable benefits. Ironically, proactive activities are working best when they’re least noticiable.

What is easy to quantify is your losses when there’s an IT crisis. Unhappy customers, lost sales and idle staff are the nightmares of every owner or manager – and even a small IT problem can leave a small business with all three.

There are certainly hurdles to implementing a true Patch Management strategy. But as we’ll see later, a good solution will cost a company far less than the near-inevitable IT catastrophe that would result from ignoring system patches and updates. A single exploit can result in catastrophic loss of data, damage to a company’s reputation with partners and customers, thousands of dollars in direct and indirect remediation costs, lost effort when work must be replicated and even, in certain businesses, legal liability if protected information is lost or comprimised.

Just a few examples we’ve seen…

An IT organization responsible for several hundred systems experienced some rapid turnover in their workstation support staff. Even though the servers were correctly updated and patched by an accountable organization, the internal staff let the ball drop on workstation upgrades for 2-3 months, because of the chaos in the organization. As a result, their entire network was victimized by a preventable vulnerability – and they found themselves with egg on their face as they needed a complete rebuild of their Windows domain.

A professional services firm had a part-time IT manager – but when the IT manager fell behind on updates, no one in mangement knew about it, as there was no formal accountability for updates and he hid the situation from his superiors. When we were finally brought in, we found Internet-facing systems hosting customer data that hadn’t been patched in a year. The firm faced not only a hefty bill for direct remediation, but embarassment with their customers as they were forced to reveal the vulnerability of the data. As they tried to repair their credibility, they faced additional expenses in the form of continuing security audits to show their customers not only that the current vulnerabilities were repaired, but that data wouldn’t be comprimised again.

A company’s highly mobile workforce was victimized when their enterprise-quality email server – that had no enterprise quality support – was brought down by an Internet worm that prevented anyone on the road from sending or receiving email for over a day. We came in and patched the vulnerability after a day and a half of downtime; not long in aboslute terms, but enough time for at least a potential sale to be lost when a bounced email convinced the prospect that the company must have gone out of business.

Consider your own business, and the cost of losing a day or week of work versus the cost of a reliable systems update service.

The problem doesn’t even have to be catastrophic to have a major effect. For a tech-centric business, even a 10% slowdown in performance, or a couple server crashes a month, can add up to weeks of lost productivity over the course of a year. Even a few days of lost productivity can easily outweigh the annual cost of a good patch management service.

What about my Macintoshes?

It’s conventional wisdom among many longtime Macintosh users that security patching and updating just aren’t that important for Macs. Mac users can (quite accurately) brag that there has never been a Macintosh exploit that caused the problems that Melissa, Blaster or Nimda caused for Windows users.

However, the stellar security record that has drawn many new users and businesses to the MacOS makes the “conventional wisdom” a false sense of security for many Mac users.

In this case, a decisionmaker has to think like the IT security community, the people who face these issues every day. There’s a consensus among these experts that there isn’t a true technical basis for the MacOS security record — that as Macintoshes become more numerous and get a reputation for their security, it’s a matter of when they become a target, rather than if.

No one can claim that the MacOS has no vulnerabilities whatsoever — Apple releases security updates on a regular basis (58 during 2004-2005).

Looking at the history of Windows security, many people don’t realize that the most successful worms exploited vulnerabilities that had been publicly known for months, if not years. In every case, Microsoft had released a patch long before the exploit entered the wild.

Combining this history with the certain knowledge that the MacOS is not invulnerable, we can deduce that when a succesful Macintosh exploit does enter the wild, it will probably attack a vulnerability that has been known about for quite a while – but only the Macintosh users savvy enough to protect themselves proactively will be safe.

We can also guess that if there is a successful, well-publicized Macintosh exploit, it will probably launch a host of imitators hoping for the same attention, as already happened on Windows operating systems to make security such a concern.

There is no doubt, looking at the history and listening to authorities, that lack of vigilance may put Macintosh based businesses at greater risk than their Windows counterparts. Small businesses who depend on the Macintosh to operate need to give security patching the same priority as they do for their Windows systems.

A true Patch Management strategy? Or a placebo?

For many businesses, a patch “strategy” consists of using the built-in operating system utilities to check for updates and install them automatically.

Without a doubt, this shows an interest in doing the right thing and it’s better than no action at all. However, it leaves the business with a new set of questions and concerns.

• Microsoft and Apple aggressively test their patches before releasing them – but certainly not with your specific mix of hardware and applications. How do you know they won’t cause compatibility issues before you install it across the entire company?
• If a patch does conflict with one of your critical custom applications, how do you figure out which patch is to blame, and remove it?
• Speaking of custom apps, when did you last check the version numbers on your software that Microsoft or Apple doesn’t automatically update?
• What happens to your network performance when 15 workstations all try to download 100 MB of updates at the same time?
• How much downtime is necessary to manually install patches and reboot systems?
• How much does that downtime cost?
• Who, if anyone, is notified when patches fail to install? Do they have the expertise to troubleshoot the problem? Or will they just click “OK” and leave the system vulnerable?

Neither Windows nor Macintosh built-in utilities will answer these questions. So you might be protected when they start talking about the next big Internet worm on CNN – or you might not.

When that day comes, is your business really better off than you would’ve been with no action at all?

Separating Patch Confusion from Patch Management

True Patch Management combines specialized tools with business best practices to give you the knowledge that you are definitely protected – not the false sense of security that “something” is being done, without knowing what that “something” might be.

A true Patch Managment Strategy has a documented process for both the technical and nontechnical activities involved.

• Discovery of new updates and patches, based on the operating systems, hardware and applications in use.
• Validation that patches are necessary on a technical level and compatible with the rest of the environment.
• Deployment of the patches, including downloading and actual installation of the updates.
• Reporting that audits what patches were installed and when they were installed on each system, for the purposes of technical troubleshooting and managerial oversight.

Unless each of these activities are taking place, either on a manual or automated basis, a business is asking for problems. Without trusted and thorough discovery, new updates can fall through the cracks. Validation saves countless hours wasted in deploying unnecessary updates or recovering from the application of an incompatible update. Timely deployment ensures that at a time when vulnerabilities are subject to exploit days or weeks after discovery, your system is secure before exploits reach the wild. Finally, without reporting you have no oversight of your IT activites – no way to know if you are getting what you’re paying for, or protected at all.

Can a small business possibly manage all these tasks?

Obviously, it’s no mean feat for a busy owner or busy employee who is multitasking as an IT guru to reliably complete these tasks. However, considering the stakes, a decisionmaker can’t ignore these needs completely.

Many of these tasks can be automated, via systems management software, or outsourced to an outside organization far more economically than they can be performed by a small business owner or employee. On a technical level, it’s easy to outline the attributes of a reliable Patch Management service or system. A system must:

• enable incremental testing and rollout based on system type and function, so that patches are validated ahead of time and won’t disable all systems of a certain type when unforseen problems are encountered.
• incorporate scheduling capabilities that prevent patch installation and reboots from interfering with other critical activities, such as overnight backups or third shift employees.
• account for the proper order of installation, whenever one patch must be installed before another.
• provide detailed accounting of what patches were installed, and when, for troubleshooting purposes.
• show management, at a glance, compliance with company patch management policies.
• enable rollback to the previous system state, not leaving a system unusable when a patch install is unsuccessful.

Summary:

Having true Patch Management, rather than patch confusion, is an ongoing process and may sound like just another headache for the time and cost constrained small business. But clearly, when IT problems can cost a business time, customers and their reputation, a lack of reliable patch management poses a risk that no small business can ignore.

Addressed proactively, patch management can be implemented in a cost-effective manner for any business. However, if a decisionmaker doesn’t approach this issue proactively and find a way to make the process part of their routine business operations, they will certainly be forced to see their mistake when a preventable IT crisis paralyzes their business.