Patching IT Up
Security patches can be likened to a well-maintained roof in good repair: Better to prevent a security lapse than to have to repair one later. Generally, an effective patch management program requires monitoring software vulnerabilities and identifying the available patches befitting your needs.
A patch is a piece of code added to an executable program, usually either as a fix for a discovered program flaw or to supplement the functionality of a program. Because new patches are released so often, the challenge of staying abreast and patching workstations and servers in a timely fashion is becoming nigh impossible. The dreary truth: Patch management is an essential part of every organization’s information security program and requires substantial time and effort. Nevertheless, such investment is less expensive in the long run than having to repair the results of damage after the fact.
There is a misconception among some network administrators that because their organizations utilize anti-virus software and firewalls, timely patching isn’t as critical. Not true. Because firewalls are usually configured to permit some traffic to pass through, the risk of compromise remains. According to CERT, more than 90 percent of network intrusions could be avoided by keeping systems up to date.
Those who attempt to stay au courant of security patches manually may find themselves falling behind quickly. This is even more likely on heterogeneous networks using a mix of operating system platforms. There are a number of third-party tools available to help streamline the process. Available as a free download (www.microsoft.com/downloads/), the Microsoft Baseline Security Analyzer (MBSA) helps to simplify the patch-management process for those who use Microsoft products. Capable of running on Windows Server 2003, Windows 2000 and Windows XP systems, MBSA will scan for common security misconfigurations in numerous Microsoft products. In addition, it will detect and repair missing security updates (e.g., hot-fixes and service packs) for Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003, as well as many other Microsoft products—including Office, Content Management Server, Commerce Server, Host Integration Server and BizTalk Server.
A relative newcomer to the patch-management fray, Marimba Inc.’s patch-management solution offers another tool for automating the collection of patch information from the various software vendors of products you are using and then helps stage and package the patches for distribution across the network. In addition, Marimba’s solution will determine which patches are applicable to your computer environment by using Marimba’s built-in inventory and auditing capability, then manage the installation and reboot sequence for targeted machines. Visit www.marimba.com/products/solutions/patch-mgmt.html for more information.
Another company offering a comprehensive patch-management solution is GFI Software LTD. (See Figure 1.) According to GFI, the LANguard N.S.S. “scans your entire network, IP by IP, and provides information such as service pack level of the machine, missing security patches, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups and more.”
Figure 1: GFI LANguard N.S.S.
There are dozens of other products available—all of which are very capable of handing this important task. Some popular vendors that offer automated patch-management solutions include:
- Configuresoft (www.configuresoft.com)
- PatchLink (www.patchlink.com)
- Shavlik Technologies (www.shavlik.com)
- St. Bernard Software (www.stbernard.com)
- Ecora (www.ecora.com/ecora)
- BigFix (www.bigfix.com)
Timely patching is paramount to computer security. By using an automated patch-management solution, the patch-management process is more streamlined and less burdensome—letting you focus on other important areas of network security.
Douglas Schweitzer, A+, Network+, i-Net+, CIW, is an Internet security specialist and the author of “Securing the Network from Malicious Code” and “Incident Response: Computer Forensics Toolkit.” He can be reached at firstname.lastname@example.org.