Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

The Problem with Patching Is – Not Patching!

on July 30, 2013

running patch managementPatching is not something that the IT department really enjoys doing. It is complicated and ongoing. It takes forever and it doesn’t add any actual business value.

Meanwhile you have myriad systems to patch, and endless patches to test and then install. Then you have to do it all over again. And again. And again.

No wonder a recent study by the UK-based Federation of Small Business shows that little more than a third (36%) of small shops patch regularly. Then these shops wonder why they got compromised, or blame their software vendors, especially Microsoft® – a common security punching bag!

Patching, well, patching properly, solves the majority of security problems. In fact 90% of successful exploits are against unpatched systems.

Even environments that should presumably be highly secure too often fail to patch. Last year an audit at the U.S. Department of Energy found that some 60% of their desktops lacked important patches.

Unpatched systems are so vulnerable because most hackers are lazy. Script kiddies are one the laziest – they take existing exploits and maybe tweak a few lines and release it as their own creation. And because the script worked before, chances are it will again. Most tech savvy people these days can become successful hackers if proper defenses – like patching – aren’t mounted.

Patches offer another shortcut, and a main artery right into the heart of your computers. There are two ways this works. The worst is when some security researcher looking for a headline finds and then blabs about an exploit that the software maker is then forced to quickly patch. This is an alarm for hackers to devise and mount attacks against this vulnerability.

The second is a patch that is released to fix a hole that only the vendor really knows about.

Either way the patch defines the hole and acts as a blueprint for a hack attack. Even though the hole is presumably fixed by the patch, it is only fixed for those that install the patch.

Unfortunately many never patch (that crazy 36% again) and even those that do don’t always fix holes immediately due to time constraints and the need to test patches for conflicts.

Patching Microsoft Isn’t Enough

Microsoft, for all the knocks it takes, is pretty darn good at handling patches, and actually a bit of a role model. The company is open about its problems, and the second Tuesday of every month, Patch Tuesday, publicly releases its fixes. It even gives a heads up as to what’s coming.

And it has a decent free tool, Window Server Update Services (WSUS), to install these patches – think of this as Windows Update on steroids. That’s why Microsoft patches are the most commonly and regularly installed.

But when was the last time you came across an all Microsoft shop? These days FireFox, Adobe Web tools, and even Oracle® all have more patches than a pair of old hippy pants. In June alone Oracle released fixes for 40 holes in Java. And most of these holes allow attacks that bypass user names and passwords. In April Oracle fixed 128 holes in its applications, middleware and database. Still think Microsoft is all you have to worry about?

Gartner is all worked up about this problem:

“In the darkest woods of IT, patching 3rd party application on a desktop remains a significant challenge for many organizations. Patching server OSs (Windows and Linux/UNIX) and 3rd party server applications also remains challenging due to fragility of many server environments. Add virtualization to the mix – and you have a full-blown slow-cooking disaster. And then you have Java…a security disaster in a league of its own,” wrote Gartner analyst Anton Chuvakin in a recent blog. “Java, Adobe Reader and Flash, Firefox, Oracle fat clients as well as many vertical and business-specific applications are often patched MUCH later than Windows and Office.”

BYOD only makes this all worse. These days you have to patch anything and everything. And fix these holes before the hackers jump in!

If patches are the hackers’ best roadmap, shouldn’t patching be a top priority?

WSUS is not enough. You need a broader tool that embraces multiple platforms and automates as much as possible patch testing and deployment.

With today’s world of distributed enterprises, mobile workers, BYOD and telecommuting you need to keep remote off network machines patched. You simply can’t have IT travel to update all these devices or ask end users to patch the machines themselves. Here a cloud patch management tool is the perfect answer.

See for yourself how easy it is to keep your servers, PCs and laptops up-to-date, with a free 30-day trial of GFI Cloud™. Whether your users are in the office, on the road or working from home, GFI Cloud is the easy way to keep their devices patched, secure and running efficiently, from one central console.  Learn more

 

About the Author:

Jackie has 28 years’ experience in customer-facing B2B roles encompassing Product Marketing, Product Management, Sales, Account Management and Customer Service both in Software and Financial Services.

 
Comments
Craig Kelly August 2, 20136:45 pm

Great article,

With patching I find the question is where do you draw the line? As you suggest new patches come out daily for some software components. Do you patch daily, monthly, 6 monthly? The answer I think is dependent on the infrastructure component / software itself, however it can be hard to get agreement for what these timescales should be. Particularly if a major issue is caused by a bug that would have been solved with the latest patch.

Thanks for the post, enjoyed reading it.

 
Jackie Wake August 6, 201312:14 pm

You raise some good points Craig…

In terms of best practice, we recommend checking for missing patches once per day, with deployment scheduled once per week, unless a patch is critical.

Of course, it always pays to be on the lookout for the most popular applications, as these are the ones most exploited – Microsoft patches, Java, Adobe Flash Player and Reader and major web browsers.

This is the best practice our tool, GFI Cloud supports :-)