What is your patch management strategy?
Conficker seems to be the theme of the week. So, with the crisis abated for the moment, I thought this would be a good opportunity to discuss an issue near and dear to my heart – patch management.
Conficker will probably go down in history as one of the great worms. Not because of the damage it did to systems, but because of the cycles that were spun by computers and people to make sure they were not going to be, or ensure they had not been, infected. In terms of effectiveness, I would argue that Conficker was very effective. If you want to put it on the list of April Fools jokes as well, go right ahead.
What lead to the chaos in many companies and some federal and state agencies, was a simple lack of a cohesive patch management strategy. Conficker was a Windows penetration, exploiting a number of known, unpatched holes in an operating system that has millions lines of code, many of which have not been fully reviewed. But this does not mean that Open Source or other operating systems are not vulnerable. As has been noted, Linux and other Open Source code has fewer errors per line of code but that does not mean a simple misunderstanding in coding or a simple slipped comma cannot lead to any number of holes in any operating system, which is why we patch code when errors are discovered. Yet a number of companies and people still do not apply these patches.
As someone who used to manage patches for a rather large ERP system, I can understand, to a limited degree, the argument that we cannot apply any patch until we understand what damage it can do. This is a fair position to have, but most of the executives and others that take this position fail to realize that without a fully staffed and funded test and development environment, it is impossible to test and evaluate every patch that comes down the line, commercial or open source. Even in boom times, this was not a realistic position to hold – especially for what I would term routine patches.
The problems begin to crop up when patches are not deployed in a timely manner. This includes, but is not limited to the critical security patches. As a consumer, it is my responsibility to keep on top of patches and the impact it would have on my applications. When you include databases, application servers and OS patches, the task of managing patches can quickly become overwhelming to the point where you can fall behind very easily if you are not patching in a routine, timely manner.
When we look at Conficker, we find that not only had a patch been released to close the hole, but the anti-malware vendors had also released signatures to detect and clean the infection if discovered. And while there were some last minute updating going on for a new variant discovered forty-eight hours before c day, there is almost no excuse why so many people spend so many cycles running around and patching their systems.
So, if you have not applied the latest security patches to your systems, go and do it. Or find out what the holdup is, but do get it done.
- The Tiny Internet Project, Part I
- Machine Learning with Python
- SUSECON 2016: Where Technology Reigns Supreme
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Free Today: September Issue of Linux Journal (Retail value: $5.99)
- Bitcoin on Amazon! Sort of...
- Android Browser Security--What You Haven't Been Told
- Securing the Programmer
- The Many Paths to a Solution
Pick up any e-commerce web or mobile app today, and you’ll be holding a mashup of interconnected applications and services from a variety of different providers. For instance, when you connect to Amazon’s e-commerce app, cookies, tags and pixels that are monitored by solutions like Exact Target, BazaarVoice, Bing, Shopzilla, Liveramp and Google Tag Manager track every action you take. You’re presented with special offers and coupons based on your viewing and buying patterns. If you find something you want for your birthday, a third party manages your wish list, which you can share through multiple social- media outlets or email to a friend. When you select something to buy, you find yourself presented with similar items as kind suggestions. And when you finally check out, you’re offered the ability to pay with promo codes, gifts cards, PayPal or a variety of credit cards.Get the Guide