Patch management can sometimes seem like a never ending job. Virulent code, such as Code Red, Nimda, Nachi, SoBig, Blaster and Slammer has hammered networks over the last several years. Code Red infected more than 700,000 computers in just the first few months after its discovery. What's worse is that many of these malicious programs had patches available long before the exploit code was released. Small and medium-sized businesses have been especially hard hit because of their size and lack of staffing.
Patch management is not going to disappear. I'm sorry to say, I'm not going to introduce a magical patch management tool here. Instead, I'm proposing a patch management process.
Now, I wish I could tell you that the patch management process is going to be free; not so. While there is a price tag, keep in mind that it is far less than the cost of inaction. Most studies clearly demonstrate that the cost of being reactive is much higher than the cost of being proactive.
The first step to the patch management process is to develop a complete network inventory. Basically, you are going to need to build a list of what systems run what software. This may take some time but the results will be worth it.
Next, you will need to implement a change control policy, because an inventory list does no good if you can't track and control changes to your network. Then you will be ready to begin monitoring for new vulnerabilities and patches that are available for the inventory you've identified.
If possible, you will want to test these patches. Part of the patch management process should be to develop a well defined deployment process. If you don't have the money to support a lab, you should at least try to duplicate mission critical processes. When and where the patches are deployed should input into your inventory control system.
Another useful item you will need to get your patch management process off to a good start is a list of sites that you can use to review the latest vulnerabilities. Several sites worth checking out are Microsoft; Mitre;
CERT; and
NIST. Software tools can also be used to help manage patch deployment. Some of the vendors that develop such tools include: Big Fix, Computer Associates, ConfigureSoft, IBM, Microsoft, Shavlik Technologies, and St. Bernard Software.
A patch management process will definitely save you money in the long term. Viruses, worms and malicious code can strike any size organization and bring mission critical processes to its knees. It is not a question of if, it is just a question of when. Can your SMB really afford that type of downtime?
Michael Gregg has been involved in IT and network security for over 15 years. His current responsibilities include performing security assessments and evaluations for corporate and government entities. He has served as the developer of high-level security classes, contributed to several books and study guides, and has taught classes for many fortune 500 companies.
