The Patch Management Paradox
Most Internet attacks exploit known security vulnerabilities for which patches are already available. According to CERT (www.cert.org), most network intrusions can be avoided by simply keeping computer systems up-to-date with patches. Software flaws are a sad fact of life. While most vendors strive for high-quality bug-free products, there remain all too many instances when a patch is required. Enter patch management software. Today’s products not only automate the patch management process, but they actively scan your systems for misconfigurations and security holes, as well.
In these lean times, many companies are finding they’re (necessarily) insufficiently staffed. Yet, administrators must still ensure that workstations and servers are properly patched in a timely manner. To make matters worse, they must also apply patches quickly to minimize risks, while testing and evaluating new ones to ensure they don’t adversely impact other elements of the network. An added burden here: The patching process is often managed by several members of an organization’s IT department who must perform this task in tandem, yet with fewer personnel and on a shoestring budget. This requires extensive coordination and communication between those individuals. And, if you attempt to keep your products up-to-date manually, you’ll no doubt find yourself falling behind rapidly. The key to successful patch management is automation and the following products can help you with this onerous task.
One tool for this undertaking is the Microsoft Baseline Security Analyzer (MBSA), provided free of charge by Microsoft. Born out of Microsoft’s Strategic Technology Protection Program, MBSA was devised in response to the need for a more streamlined method of identifying common security misconfigurations in Microsoft products. The MBSA scans Windows-based computers by checking the OS and other installed Microsoft components for security misconfigurations, hot fixes and recommended patches. To download a copy, visit http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx.
There are many third-party products available that not only automate the patch management process, but can also detect system misconfigurations, open ports and other potential security threats. One such product is GFI’s LANguard Network Security Scanner (www.gfi.com), which scans Windows-based networks and seeks out missing patches and service packs—both in the OS and in applications. Based on this information, the network manager can deploy service packs and patches across the network.
Ecora’s Patch Manager (www.ecora.com) is another automated patch management solution. This product requires a short learning curve and features an easy-to-use and intuitive interface, enabling Patch Manager to examine and patch important Microsoft-based workstations, servers and applications. Patch Manager can deploy service packs and hotfixes either interactively or on a scheduled basis. In addition, it can perform scan analysis by host, application or patch, for a quick snapshot of what needs to be resolved. If money is tight, Ecora also offers a free “lite” version of Patch Manager called, appropriately, PatchLite.
PatchLink is yet another of the automated patch management solutions. One nice feature of this solution is that it provides cross-platform patch management for networks using a mix of operating systems and can detect a wide range of security holes in your infrastructure then allow you to close them all with the click of a mouse. For more information, visit www.patchlink.com.
It is important to remember that when vendors release software patches, they strive to strike a balance between security and stability. Unfortunately, patches don’t always work perfectly or consistently in every network environment. Ideally, it would be best to thoroughly test all patches before installing them on the network. However, this is usually not feasible as many security patches need to be installed quickly in order to fix potentially serious problems. In a nutshell, real-world patch testing is a compromise between the need to solve a security issue quickly and the need to ensure that the patch is stable in your environment.
Douglas Schweitzer, A+, Network+, i-Net+, CIW, is an Internet security specialist and the author of “Securing the Network From Malicious Code” and “Incident Response: Computer Forensics Toolkit.” He can be reached at firstname.lastname@example.org.