What is your patch management strategy?

by David Lane

Conficker seems to be the theme of the week. So, with the crisis abated for the moment, I thought this would be a good opportunity to discuss an issue near and dear to my heart – patch management.

Conficker will probably go down in history as one of the great worms. Not because of the damage it did to systems, but because of the cycles that were spun by computers and people to make sure they were not going to be, or ensure they had not been, infected. In terms of effectiveness, I would argue that Conficker was very effective. If you want to put it on the list of April Fools jokes as well, go right ahead.

What lead to the chaos in many companies and some federal and state agencies, was a simple lack of a cohesive patch management strategy. Conficker was a Windows penetration, exploiting a number of known, unpatched holes in an operating system that has millions lines of code, many of which have not been fully reviewed. But this does not mean that Open Source or other operating systems are not vulnerable. As has been noted, Linux and other Open Source code has fewer errors per line of code but that does not mean a simple misunderstanding in coding or a simple slipped comma cannot lead to any number of holes in any operating system, which is why we patch code when errors are discovered. Yet a number of companies and people still do not apply these patches.

As someone who used to manage patches for a rather large ERP system, I can understand, to a limited degree, the argument that we cannot apply any patch until we understand what damage it can do. This is a fair position to have, but most of the executives and others that take this position fail to realize that without a fully staffed and funded test and development environment, it is impossible to test and evaluate every patch that comes down the line, commercial or open source. Even in boom times, this was not a realistic position to hold – especially for what I would term routine patches.

The problems begin to crop up when patches are not deployed in a timely manner. This includes, but is not limited to the critical security patches. As a consumer, it is my responsibility to keep on top of patches and the impact it would have on my applications. When you include databases, application servers and OS patches, the task of managing patches can quickly become overwhelming to the point where you can fall behind very easily if you are not patching in a routine, timely manner.

When we look at Conficker, we find that not only had a patch been released to close the hole, but the anti-malware vendors had also released signatures to detect and clean the infection if discovered. And while there were some last minute updating going on for a new variant discovered forty-eight hours before c day, there is almost no excuse why so many people spend so many cycles running around and patching their systems.

So, if you have not applied the latest security patches to your systems, go and do it. Or find out what the holdup is, but do get it done.