Patch Management, the necessary evil
Before joining the Windows iX IT PRO Security team I spent my last 11 years working in the enterprise support field, where 5 were at Microsoft CSS (former PSS). During the Conficker outbreak I was in Oklahoma for New Years Eve 2008/2009 (which BTW is pretty cool) and while I was there I wrote this post about blocking Conficker proliferation via ISA Server. Six months later I kept hearing comments from the IR (Incident Response) folks about getting new cases related to Conficker. I remember talking to one of those guys and hearing from him that some companies were without patches for years. We are not talking about small offices; I’m talking about enterprise level type of company with thousands of workstations and hundreds of servers - unpatched.
While it is hard to believe that this type of practice still happening, today reading this article I got the confirmation that Conficker didn’t teach the full lesson to everybody. Unfortunately the reality is that there are still many servers and workstations (regardless of the OS) unpatched out there. In other hand, it is also very good to see that people are warning about that in many ways, such as with an article like this: “Patch Management Crucial to Defend Against Cyber-Attacks: Report” that explains how important it is to patch and beyond that, how important it is to make sure all platforms are patched. The article has a great statement, that says:
“While Windows vulnerabilities receive wide attention, Norman security experts also warned that IT administrators in enterprises, government and small to midsize businesses (SMBs) should focus on patch management involving all major operating systems, including Microsoft Windows, Linux, Mac OS, Sun Solaris and HP.”
If you don’t know where to start on patch management subject for your Microsoft platform or if you want to review if you patch management strategy is correct, go ahead and download the Microsoft Security Update Guide, Second Edition – this is a great source of information about this subject.
Stay safe!
Comments
Anonymous
January 01, 2003
Thanks for your perspective on this. The only problem with this approach (don’t enforce patch management and don’t have AV) is that you are exposed to risks that sometimes you don’t even know. What if confidential information were leaked during the time that the AV was out of date or the machine was unpatched? Can you measure the damage? Did he really save money for the company in this case? There are risks that are not included in this scenario’s calculation that are key to define the true value of the final damage. In any case, thanks for sharing your ideas.Anonymous
May 07, 2011
I will give you a different (although IMHO interesting) point of view: Feb.2010. Mid-to-large company: -3800 workstations, 250 servers. With no antivirus at all, and NO patching policy...every person decided the patching policy for his/her workstation. In Feb.2010 they acquired a new IS Manager, and in the same month we acquired the company as our client; one of our first job was to deploy an enterprise antivirus to all workstations and servers. During the Conficker outbreak, which spread in that company in March 2010 (before starting our antivirus deployment) all the servers and workstations were infected.... the domain controllers, the exchange servers, the SQL servers, everything... we manually cleaned up everything in about 4 weeks. At the end of cleaning and deploying the AV, when everything was back to normal, the new IS Manager, dropped a phone call to the old IS Manager to make a summary of events, and to tell him "hey man! see what your stupid missing policy about AV and Patches did". The OLD IS manager answer was quite surprising: "Hey there, tell me: how much did it cost the outbreak for the company?... ok now, calculate how much you would have spent in AV licenses renewal in the last 10 years and in manging patches for all workstations... and now tell me... which costed the most?... I'll tell you! The company saved money thanks to me".... no comment (and the sad thing is that... maybe he is true)