What is your patch management strategy?
Conficker seems to be the theme of the week. So, with the crisis abated for the moment, I thought this would be a good opportunity to discuss an issue near and dear to my heart – patch management.
Conficker will probably go down in history as one of the great worms. Not because of the damage it did to systems, but because of the cycles that were spun by computers and people to make sure they were not going to be, or ensure they had not been, infected. In terms of effectiveness, I would argue that Conficker was very effective. If you want to put it on the list of April Fools jokes as well, go right ahead.
What lead to the chaos in many companies and some federal and state agencies, was a simple lack of a cohesive patch management strategy. Conficker was a Windows penetration, exploiting a number of known, unpatched holes in an operating system that has millions lines of code, many of which have not been fully reviewed. But this does not mean that Open Source or other operating systems are not vulnerable. As has been noted, Linux and other Open Source code has fewer errors per line of code but that does not mean a simple misunderstanding in coding or a simple slipped comma cannot lead to any number of holes in any operating system, which is why we patch code when errors are discovered. Yet a number of companies and people still do not apply these patches.
As someone who used to manage patches for a rather large ERP system, I can understand, to a limited degree, the argument that we cannot apply any patch until we understand what damage it can do. This is a fair position to have, but most of the executives and others that take this position fail to realize that without a fully staffed and funded test and development environment, it is impossible to test and evaluate every patch that comes down the line, commercial or open source. Even in boom times, this was not a realistic position to hold – especially for what I would term routine patches.
The problems begin to crop up when patches are not deployed in a timely manner. This includes, but is not limited to the critical security patches. As a consumer, it is my responsibility to keep on top of patches and the impact it would have on my applications. When you include databases, application servers and OS patches, the task of managing patches can quickly become overwhelming to the point where you can fall behind very easily if you are not patching in a routine, timely manner.
When we look at Conficker, we find that not only had a patch been released to close the hole, but the anti-malware vendors had also released signatures to detect and clean the infection if discovered. And while there were some last minute updating going on for a new variant discovered forty-eight hours before c day, there is almost no excuse why so many people spend so many cycles running around and patching their systems.
So, if you have not applied the latest security patches to your systems, go and do it. Or find out what the holdup is, but do get it done.
|Alice, the Turtle of the Modern Age||Mar 07, 2014|
|Using Django and MongoDB to Build a Blog||Mar 05, 2014|
|What virtualization solution do you use/manage at work?||Mar 04, 2014|
|Our Assignment||Mar 04, 2014|
|March 2014 Issue of Linux Journal: 20 Years of Linux Journal||Mar 03, 2014|
|Have Resume - Will Travel||Feb 28, 2014|
- Alice, the Turtle of the Modern Age
- Using Django and MongoDB to Build a Blog
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Sign Up to Win a Silicon Mechanics Swag Pack!
- Zato—Agile ESB, SOA, REST and Cloud Integrations in Python
- Our Assignment
- You have to be careful there
1 week 3 days ago
- Wonder when LJ is going to
1 week 4 days ago
- Puerto Rico Free Software
1 week 5 days ago
1 week 6 days ago
- I hate voice commands
2 weeks 5 hours ago
- usabilty --- AGAIN with this nonsense
2 weeks 6 hours ago
- Don't make excuses
2 weeks 10 hours ago
- Sorry to let you know, but
2 weeks 11 hours ago
- Ridiculous statement. Not a
2 weeks 1 day ago
2 weeks 1 day ago