Many articles in this blog talk about cool, sexy, and trendy things. However in IT there are a lot of unsung heroes or platforms/processes in the background that take place that an employee, customer, or vendor never sees. In my opinion, one of the coolest back-office IT functions is the realm of patch management. It’s never given credit for all the things it can do, but is one of the first things blamed if something goes catastrophically wrong on the network.
We’ve all seen the blog posts, news articles, and email blasts come out and talk about vulnerabilities each and every week. There seems to be a constant barrage of organizations being hacked and leaking out Social Security numbers, Credit Card numbers, and other personal data. In fact, just before writing this article I was checking through my daily technology newsfeeds and decided to check on vulnerabilities from 4/13/2015 to give an example (which prompted me to write this):
- Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege
- New Security Updates for Adobe Flash Player
- Exploit in Microsoft Office Could Allow Remote Code Execution
- Oracle Database Critical Patch Update
- Java CPU Beans Vulnerability
These are vulnerabilities and exploits that were found by software or people. If they are publicly available to view then they are certainly being used by some not-so-nice people as well. Notice how the above exploits deal with VERY common software seen in just about any organization with computers. In fact, many core business applications are built around things like Java, Oracle, and Office.
Our Security and Privacy group does a great job in helping businesses with security assessments, penetration testing, forensics, governance, any many other services. Those items come and go – as part of those projects the business might be asked to patch or place hotfixes on hundreds of devices ranging from Service Packs on Windows 7 to firmware updates on a printer. I guarantee you that by the time those fixes are put into place, dozens of other patches will be released for other exploits that were discovered. It is a never ending cycle that is nearly impossible to conquer but that’s just the nature of technology. However, in this case it should be noted that doing something is better than nothing.
For the sake of this blog post, I’m going to just focus on devices like servers and workstations to keep it simple. If you take a look at software that is common on computers, you’ll probably come across things like Flash, Java, Adobe Reader, Internet Explorer, Microsoft Office, Google Chrome, and Mozilla Firefox pretty frequently. Are you ever bothered by pop-ups that ask you to update any of these programs and it seems like it happens every 2-3 days? You certainly aren’t alone! The programs want to update for a reason…mostly for security purposes. Sometimes an update might be available but you aren’t allowed to install them because a core business application is dependent on a specific version of software – I’m looking at you Internet Explorer and Java. Suddenly we’re in a dilemma: We need to update some of our software but we can’t because of another application dependency. Nearly every organization I’ve worked with has this problem to some degree.
Just because a business application requires a specific version of XYZ software doesn’t mean that patching other platforms should cease. In fact, patch management can do a lot for an organization:
- Provide reports on machines that need vulnerabilities fixed
- Enable limited WAN usage for patches to be stored on a local distribution point – devices that pull Microsoft patches directly from Microsoft = 100% internet usage
- Keep specific versions of software on machines without updating
- Utilize one resource for many different patch types including Microsoft, Java, Adobe, Google, Mozilla, etc.
- Creation of test groups for new patches to be validated and pushed to production
- Ensure consistent software versions are installed on machines
- Silently install updates and disable any notifications to the user
- Automated patching on certain days/weeks/months
That’s just a small subset of benefits to implementing and maintaining a well-oiled patch management environment. Most organizations are extremely surprised at how many patches they need in their environment after we run an initial network scan. It’s overlooked, forgotten, and never treated with a sense of urgency until something is broken. To give a visual, these are pie charts from a typical sized client that compares an initial patch report compared to a patch report that was run two months after patch management was put into place:
If you are part of an organization that could use a step in the right direction (or even a first step) with patch management, please feel free to contact us with an Area of interest of “Infrastructure” or “IT outsourcing” or call 800.274.3978 to get more information or something scheduled with a consultant.