Let's Get One Thing Straight, Software Patches Are No Laughing Matter
It can be quite easy to get behind on the constant flurry of software security patches; even as I write this, a couple notifications are asking me to download the latest security patches for my laptop.
Despite the time and hassle, however, system and network patches are an essential component of a healthy computing environment. For regulated industries, it goes even deeper than that—being able to show that systems have all the necessary security updates is a compliance requirement.
“If we compare computer security to physical security, we could say firewalls function similarly to fences and guard dogs, access controls are a little like locks, and applying patches is somewhat analogous to installing steel reinforced doors or unbreakable windows,” wrote technology consultant and author Debra Littlejohn Shinder in a recent GFI TalkTechToMe blog post.
While access controls are important, they are of little use if malicious elements can sneak through the window. Which is why patching, onerous as it can be, should not be overlooked.
Haphazard patching practices can be worse than useless, however, according to Shinder, they can result in downtime, loss of productivity and a less secure environment. That is exactly why it is important to have written patch management policies and procedures, as well as a designated person or group, to stay on top of the patch process and take responsibility for it being done properly.
The reasoning behind this key factor to consider (and why a designated employee needs to stay on top of the patching process) is because, as Shinder puts it, “while patches are generally created by vendors focused on a particular operating system or application, in the real world our OS and apps are running within an entire ecosystem where programs interact with one another and every piece of software has the potential to affect many others.”
Hardware configuration, settings in the OS or app and even the order that programs run can affect the patching process.
Needless to say, it is vital to intimately know the environment where the patches will be applied, in addition to the way each vendor leverages patches, how those patches have been received by others and if they will be appropriate.
“Answering those questions means having someone in the org who stays on top of current security issues as they become known,” Shinder adds. “That person must be familiar with the software in use and the vendors’ patch release practices and schedules, but you should look beyond ‘official’ info from the vendors.”
It also is important to test patches before they are rolled out, the post clarifies. This can take time, but it also can be eased through the use of automation.
For Shinder, at least, this is the value proposition of commercial patch management and deployment tools.
“In today’s tough economic times, it’s tempting to try to DYI as much as possible to save money, but in my opinion, a good patch management system will soon pay for itself, not just in dollars but in administrative overhead and even reduced stress for everyone who has a stake in ensuring that systems are secure,” she wrote.
A full-service patch management solution should be able to scan systems for missing patches, download the patches, test them and deploy them to the production network. It should also make the process as automatic as possible while still giving administrators ultimate control.
Regardless of whether a commercial or homegrown solution is used, patching should not be overlooked, which is why it is time for me to end this article and take care of those security update alerts in my System Tray.
Industry expert, GFI Software, offers a plethora of award-winning network monitoring, management and security solutions for both the home and business. To check out some options that best fit your needs – and join the millions who already have – visit www.GFI.com.
Edited by Allison Boccamazzo
and MSPs GFI's solutions for OEMs & Cloud Providers