When I go to companies and ask them if they have a patch management policy the answer is always yes. They are required to patch desktops (Windows) on a monthly basis, usually after Microsoft "Patch Tuesday". Then the servers typically get a quarterly patch window. However, the policy usually states this, but the procedures do not always uphold this. And well, patches for Microsoft are essential, but they are not the whole picture. There are non-Microsoft based servers and all of the networking devices that also need to be reviewed.
Having WSUS (Windows Service Update Services) is a great method to push out the standard Microsoft patches, but it does not patch the other applications that are on the Windows systems. There are many other common applications that run on Windows that will not get patched on a regular basis. This is due to not having a good method in place to test them, to patch them, to deploy those patches to them. Applications such as Adobe Reader, Winzip / WinRAR, RealPlayer and many, many more. These too have issues that arise from time to time and need to have a method added to the procedures.
SEVERS
There are several companies that come to mind that will make patching a much simpler process. Companies like PatchLink and BigFix will alert that a patch is available and be able to install it. This alerts when say RealPlayer has an update and allows the user to click on update. The admin can still administer it and not allow the end-user to install the updates, but it still allows a company to patch systems with non-OS updates. This is so important as OS vulnerabilities are not the only way to penetrate a system or network.
Now I touched on a sensitive subject a few sentences ago - allowing the user to decide to install. There are typically settings where a patch can be pushed to the system, can be downloaded by the user, or can be pushed and installed on the system. A delayed reboot can be set for times in the future so an end-user is not going to lose any data, they should be prepared for the reboot. It's not important who decides when to put the patch on, the important thing is that the patch was installed.
When it comes to networking devices, there are routers, switches, firewalls, IDS's, VPN severs and "A-A-A" devices. All of these ensure that packets get sent, stopped, analyzed, and kept intact. It only makes sense that a SysAdmin or Network Administrator would want to keep them up to date and operating well. To do this they too need to be maintained.
Only patching the MS machines and not worrying about the UNIX patches, the application updates, and the networking updates is like changing the oil in the car (yes, it must be done). But then ignoring adding gas to the tank and air to the tires. Again, yes, the oil does need to be changed to keep the engine running, but if the tires aren't rotated and aired properly then the ride won't be nearly as smooth.
A patch policy is absolutely necessary. A security admin can't hold the network and sysadmins responsible to a policy if it does not exist. But that policy needs to be an all encompassing policy that goes beyond Windows.
Patch Management SEVERS
No comments:
Post a Comment