Managing Your Patch Management
Articles and Tips:
01 Jan 2006
In the first two quarters of 2005 alone, more than 3,780 software vulnerabilities were reported, leaving a wide range of system components and software open to risks. With popular operating systems most often the key target of worm and virus writers, the majority of businesses are left open to attacks. For example, the August print spooler flaw identified by the monthly Microsoft security update (a.k.a. Microsoft's Patch Tuesday) left businesses that were running Windows Server vulnerable to losing complete control of the infected system, as an exploit would then have free range to view, change or delete data; or create new accounts with full user rights.
The emergence of the Zotob worm just five days after the August security update, which exploited the MS05039 vulnerability in Windows 2000, sent the message that the time scale for applying patches has been dramatically reduced, because hackers have become quicker at churning out malicious code and collaborating on the development of multiple variants of an exploit.
In an October 2004 article on SearchSecurity.com, Mark Brunelli wrote, "Microsoft's flurry of security bulletins this week made October the busiest month on record and has undoubtedly sent thousands of administrators scrambling to test and deploy fixes for some serious flaws that could quickly be exploited by worm writers."
"Microsoft issued 10 security bulletins Tuesday, 7 of them critical. The bulletins aim to patch a total of 22 newly discovered vulnerabilities--a new record for the software maker's monthly Patch Tuesday program, according to a Microsoft spokesperson. The vulnerabilities include holes that an attacker could use to cause a denial of service, view sensitive data or launch malicious code."
Novell ZENworks Patch Management closes those security holes before hacking, compliance or infringement issues can jeopardize your infrastructure. Available for Windows, Linux, NetWare, Macintosh, AIX, Solaris HP-UX and more, ZENworks Patch Management allows you to quickly determine what patches are right for your organization and automatically apply them across your enterprise.
So why aren't businesses catching on to patch and vulnerability management? The bottom line is that many IT teams think they don't have the resources, or time for that matter, to implement the relevant patches and ensure that each one has been deployed across an entire network successfully. They're still thinking in the old school of manual implementation to different servers and desktops. ZENworks Patch Management now makes the entire process a lot easier, and virtually pain free, freeing up your IT staff for those more important projects.
Best Practices Approach
For your business to get a grip on patching, you must first assess the possible risk areas of your network. You must know what the potential vulnerabilities are, where they are and how important it is to your business that they are fixed. This means you'll need an in-depth study of all your company's IT assets. When you know what systems you have and where they are within your network, you can check the vulnerability status in each piece of firmware and software.
It's also important to establish which network systems are mission critical, which should be patched first and which need constant patch maintenance. As an example, some retailers might not apply patches in November and December because these months are the busiest times of the year and the risk of downtime caused by new software is unacceptable. Applying patches carries a risk, and if the patch has not been tested effectively, you could get a disruption to your business services. Applying a patch that does not suit the environment could result in a critical server failure, or at a minimum, possible loss of critical data.
For most businesses, even those with ZENworks Patch Management in place, patching everything straight away is not an option. New vendor patches have been known to induce instability in software and operating systems, so the maintenance should be bitesized so your IT staff doesn't get overwhelmed with the task of deploying monthly updates. The IT team must be able to cope with the work in progress and have the capacity to address any issues that arise during the patching process.
Therefore, you need to prioritize the deployment of patches across your network. The most direct approach is to deal first with the systems that are most prone to attack or hacking, such as e-commerce systems, e-mail systems and critical business applications. Then move down the food chain to non-critical systems. It's important to factor in timing for maintenance, too. For example, you should ideally patch systems used by office staff after hours.
Patch Deployment
The best practices-based approach employs an iterative test-then-deploy cycle that you execute against an increasingly large or critical set of servers or desktops. Manually deploying patches will be much more costly and most likely won't properly mitigate the risk of unpatched systems.
ZENworks Patch Management fills this hole; staged deployments are essential, based on your user-defined groups versus other technologies that require an all-or-nothing approach. ZENworks Patch Management allows you to implement testing and take full advantage of accelerated and automated deployments; however, testing of each patch is absolutely vital.
Automatically triggered security patches are not desirable or even recommended. Products that offer the all-or-nothing approach are very risky and you should avoid them. Even the most reputable vendors don't test their very best patches in every environment. They simply can't re-create every possible operating environment with the literal thousands of variables. The only time when automatic patch enforcement should be used is if your organization maintains a security baseline of known working patches.
Relying on any tool that automates business decisions is risky; however, relying on manual testing and patching processes puts you at even greater risk. Staged testing can lessen the risks of automated patching. But as we all know, there are almost no options to mitigate the risks associated with not patching.
A best-practices approach uses automated tools with user input, such as ZENworks Patch Management; whoever "owns" the systems ultimately makes the final decision on when and how patches are deployed. Temporary isolation of the system might be your only effective mitigation technique if a mission-critical system, for example, a payroll server, doesn't accept your newly deployed patches.
Integrated Strategy
A patch management solution that centralizes and automates the task of distribution and application allows you to make patching an integral part of your overall security management strategy. This alleviates the management-initiated panic reaction to address the latest vulnerabilities or piece of malware, which could lead to a time-consuming and ineffective scramble for a solution.
Providing a unified view for managing all products in an integrated security console enhances your administrative productivity for you and your IT teams, as well as lessens the overall complexity and costs associated with patch remediation.
Dedicated patch and vulnerability management software and services take away the burden of patch deployment and management--if you choose the right solution. Some patch and vulnerability management solution vendors also test and authenticate patches before making them available; Novell is one of those vendors and that helps reduce your IT workload even more.
Conclusion
If your organization invests in complex and expensive network systems, you've probably found that they can be rendered useless if you don't effectively manage something as simple as patching. Hackers continue to use worms, viruses and spyware to exploit known vulnerabilities on unpatched systems. It usually results in costly network downtime and wastes considerable administrative time and money to repair.
Moreover, as the trend continues in enterprise networking for the convergence of voice, video and data onto a single network, the implications of downtime due to a compromised network become more far-reaching. Unpatched critical applications, such as telephony, are now vulnerable to malicious attacks with potentially disastrous consequences for your organization's data, let alone the negative effect on your staff's productivity.
Patching is, of course, only one element of a good, overall security program. But ZENworks Patch Management will make a pivotal contribution to reducing the myriad of vulnerabilities and their resulting exploits. It also helps to resolve issues arising from spyware and malware. By establishing the correct procedures and processes for patch management, companies can ensure they are less likely to fall victim to network attacks. To learn more about ZENworks Patch Management, visit novell.com/products/zenworks/patchmanagement/index.html.
* Originally published in Novell Connection Magazine
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.