Managing Windows patches with ease

The early concept of patch management involved keeping a vigilant watch on any Microsoft update posted on its web site. But as the number of security exploits and vulnerabilities continue to grow exponentially — CERT’s security advisory team has reported a total of 3780 vulnerabilities last year — keeping an eye on Microsoft’s download site is simply not enough.

  • E-Mail
By  Peter Branton Published  March 20, 2005

Introduction|~||~||~|The early concept of patch management involved keeping a vigilant watch on any Microsoft update posted on its web site. But as the number of security exploits and vulnerabilities continue to grow exponentially — CERT’s security advisory team has reported a total of 3780 vulnerabilities last year — keeping an eye on Microsoft’s download site is simply not enough. According to the Aberdeen Group, software flaws are the biggest threat to security because they expose a corporate network to unauthorised access and attacks. The analyst firm estimates that companies spend more than US$2 billion a year to patch up network security flaws. By nature, applications are not written perfectly. No matter how extensive a software company’s testing procedures are, they are bound to overlook glitches and fail to anticipate events that end users in real-life situations will likely encounter. To rectify these mistakes, vendors normally issue a software patch. A software patch is a piece of code used to fix security holes or upgrade features of a particular application or operating system. Although it is not necessarily the best way to solve a problem, patches are issued to provide a quick relief for any security problem that needs immediate attention. “Anti-virus applications on their own are not enough; 90% of viruses use vulnerabilities in the operating system to get access to and exploit PCs,” says Samir Kirouani, technical manager, Trend Micro Middle East. “Patch management is that added layer of security that not just companies but also home users should look at to ensure that their systems are up-to-date and safe,” he adds. On average, it takes around 30 minutes to apply a patch on one machine, but for a systems administrator responsible for hundreds of PCs and servers, the time spent applying patches these systems can often make it a full-time job in its own right. “Patch management is becoming a full-time job but it doesn’t need to be. By using software that centralises and automates the task of patch distribution, organisations will be able to effectively manage the distribution and make it part of the day-to-day business continuity strategy, rather than a panicked, reactive scramble against the virus,” says Sevag Kalaydjian, regional manager, Altiris Southern Europe, Middle East and Africa. Kalaydjian describes patch management as “a security mechanism that addresses risks, covers those risk and implements risk management in any given network or operating system”. He says that in order to correctly patch systems and applications, a process needs to be in place that can explain what security is and how it can be addressed within the enterprise. “A patch management process and system is used to distribute and check patch installations and updates. It is part of a risk management plan aimed at reducing risks to an acceptable level established by any given enterprise,” Kalaydjian explains. Patch management is not a straightforward method of getting the patch and installing them in every system. True, it requires that companies should be kept informed about the latest patches through software advisories, but at the same time, it’s not necessarily the case that all patches should be applied to the network environment. An effective patch management method requires constant attention and care to identify and deploy the appropriate patches to the various systems because sometimes applying patches can introduce a company to new problems and conflicts that can affect its network or any system connected to the network. Any changes introduced to a system, including patches, require systematic testing before deploying, which adds up additional critical time and increases the time during which the system is vulnerable. Spotting which ones need to be deployed will not only help administrators avoid wasting time from installing unnecessary patches, but will also help avoid any adverse effects caused by installing untested patches. “Simply downloading the patches is not the end of the story as there will be exceptions whereby a certain machine has to stay at a previous release due to the application running on it,” says Arvind Mehta, business development manager for Bindview’s Middle East operations at PrimaJava Softech. “This has to be a management decision to determine what gets included and what is left out. Equally, when updates occur, they should be scheduled to be the most effective without bringing down the system and every workstation requiring a reboot,” he adds. ||**||Not secure|~||~||~|Also, it is important to understand that installing patches does not ensure a secure system. Patches are not risk-free; they are made publicly available for everyone, including hackers, who can probe them for security holes. In order to guarantee the security of an organisation’s network infrastructure, a comprehensive strategy where patch management plays a crucial role must be put in place. An effective patch management strategy should start with a proper assessment of a company’s existing IT assets. According to Vikram Suri, Symantec’s country manager for the Southern Gulf and Levant regions, a complete and accurate inventory of an enterprise’s IT resources can help locate the weak spots in a network set-up. “How do you stop a bullet that has already been fired? The only way to assure that your environment is secure is to ensure that it is a managed environment,” says Suri. “For example, if you don’t have auto-discovery and asset management tools installed in your environment, how can you determine which machines are connected to your network and what’s running on them? How can you detect rogue machines brought in by contractors or from home environments that aren’t properly configured according to your corporate policies?” Once an administrator has a complete understanding of his company’s network set-up, he will be able to single out critical assets, find applicable patches for each system, prioritise deployment and monitor patch status. It will also help him in selecting the best third-party patch management tool that can address his requirements. Effective deployment of security patches is necessary to protect system integrity and availability. Manual methods of addressing patch and configuration management are too costly and time consuming. As greater quantities of servers, desktops and mobile notebooks are installed, systems administrators have to support a variety of IT devices, operating systems and applications, which make it very complex to consider manual patch management and deployment as effective and secure. There are several vendors offering automated patch management tools that can deploy patches to multiple machines — even across the entire organisation — simultaneously. They feature various customisation and deployment options, such as patch scheduling based on location, type, ownership or role. They also have scanning features that can be programmed to run on a regular basis, and report-generating tools that can help manage networks more effectively. Symantec, Trend Micro, Altiris and BindView are some of the vendors that offer such automated patching products. Symantec ON iPatch is a patch management and remediation solution that is designed to automate the patch management process. It does this by evaluating the current patch status of the systems connected to the network, identifying missing Microsoft security patches and installing the patches on individual computers, multiple computers or across an entire network structure simultaneously. The product is ideal for companies that have between 50 and 2000 PCs, although Symantec is aiming the product at SMBs running Windows-based networks only. The company is looking at supporting other operating systems in future versions of iPatch, as well as adding features that allow companies to test patches before deploying them. The iPatch technology was previously part of Symantec’s ON iCommand configuration management product, which is being sold to large enterprises. But the company decided to make the patching tool a separate product to make it available for smaller companies. “By broadening our distribution strategy for Symantec ON iPatch, Symantec extends the benefits of this easy-to-use and affordable patch management solution to SMBs,” says Thom Bailey, director of product management, enterprise administration, Symantec. Symantec ON iPatch also features a reporting facility that supports a wide variety of filtering and export options used for generating reports such as patch compliance reports. Trend Micro Network VirusWall (NVW) is a family of outbreak prevention appliances designed to enforce security policies across an entire network environment or to single devices. “Among the numerous advantages of the NVW is that it has a centralised, web-based management console that deploys security updates automatically on an organisation’s PCs,” says Kirouani. “This saves time, avoids hassle and ensures peace of mind. Any computer that does not have adequate security in place is blocked by NVW, ensuring that all machines on the network are protected and not at risk from infection.” ||**||Stop worms|~||~||~|NVW consists of three products: the NVW 2500, NVW 300 and NVW 1200. NVW 2500 and NVW 1200 both stop network worms and vulnerability exploits by enforcing security policies to block noncompliant devices from network access. They isolate infected network segments and automates remote cleanup in case of outbreaks. The NVW 2500 can protect up to 4,096 concurrent users, while the NVW 1200 can support up to 256 users. NVW 300, on the other hand, is designed to protect mission-critical devices, such as a bank’s ATMs, self-service kiosks or medical devices, from network worms and to clean up infections to keep worms from spreading. Due to the nature of appliances, NVW 300 can be deployed on any IP-enabled device without experiencing any resulting hardware or software incompatibility. Altiris Patch Management Solution 6.0 is an automated patch discovery and distribution tool that takes care of patch downloads without administrator intervention and simplifies the distribution policy management via a software update distribution wizard. It includes a repository that contains information on each software bulletin, such as technical details, severity ratings and number of updates, and provides control over batched installations, rebooting and simplified selection of command-line options. Patch Management Solution 6.0 extends the capabilities of Patch Management 5.6 to include vulnerability assessment, patch tracking, preparation and delivery of critical updates for third-party Windows applications, Unix/Linux operating systems and applications, and customer line-of-business applications. BindView Patch Management is a scaleable, closed-loop patch management solution for assessing, packaging and deploying the required software updates to close down security holes on servers and workstations. It is fully integrated with BindView’s Vulnerability Management suite and features agent-free architecture for the Windows environment. “Patch management is top of mind for many customers right now and we’re pleased to release a function-rich solution that can scale to the needs of the largest Microsoft environments,” says Arshad Matin, BindView’s executive vice president for product and technology operations. “BindView Patch Management equips customers with the technology, knowledge and processes needed to support a repeatable, closed-loop lifecycle for keeping servers and workstations up to date with the most current security patches.” According to Kalaydjian, it is important to conduct a risk assessment study before selecting a third-party patch solution. By conducting a risk and threat study, a company will be able to gauge how much it can invest on a patch management tool. ||**||Assessments|~||~||~|“The amount that any given company should invest is a result of a risk and threat assessment. This will state the amount of damage that could happen as a result of a given risk. The risk frequency will state how often a specific risk could happen and therefore give us a better view of what a budget for security measures could look like for any given risk,” Kalaydjian says. There are several criteria to consider when evaluating packaged patch management tools, according to Kirouani. “There are several factors, but the top of the list would include simple deployment, ease of use and update frequency,” says Kirouani. At the minimum, vendors should update their products within 24 hours, Kirouani adds. Some companies test patches before endorsing them, while others repackage the patches to ensure better control over the distribution of the patches and to ensure smooth deployment of non-Microsoft patches. The way patches are deployed is also an important consideration. Some products automatically deploy patches after a scan is made; others have scheduling schemes for both scans and deployments. Others use Qchain, a Microsoft tool that enables a single reboot for multiple patch installations. As most patches come from Microsoft, it is also important that the patch management tool supports Microsoft’s update-rollback feature, which can prove useful when uninstalling patches. At the same time, make sure that it supports Microsoft Office deployments and single deployment of multiple patch upgrades. “It is important to look for wide support of a variety of operating systems to enable efficient patching on all platforms in the organisation without the headache of managing and learning multiple products and consoles,” adds Suri. Although companies can use vendor alerts to keep them informed of vulnerabilities affecting the products in their infrastructure, it can be very time consuming and may not be efficient use of an IT staff’s time, says Suri. Instead, he recommends the use of centralised, vendor-neutral alert programs. “Symantec’s DeepSight solution can provide updates and advice to companies of threats and vulnerabilities as they happen, ranked in priority according to threat to the company’s infrastructure,” he adds. Mehta suggests that companies with limited budgets should look for an agent-free product. “They should go for a product that can run automatically without any agents to be rolled out in all workstations, can download relevant patches, package and distribute them without serious overheads involved, and has the option to rollback from a central management console,” he says. As long as there are vulnerabilities in systems, patches are here to stay. Fortunately, more and more companies are realising the importance of patch management as a core component of their security strategy. But, in the end, patch management tools can only do so much. It is up to the administrators and the end users to follow a string of sensible security measures to ensure that their network environments are well protected. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code