The Patch Management Crisis and How to Solve It

patch-software

Most end users, and even some IT pros, feel pretty safe if they have up-to-date anti-virus/antimalware, firewalls turned on, and complex passwords in place. This overlooks one of the biggest threats to your PC and network – poor or non-existent patching.

The vast majority of successful exploits are against unpatched machines, some 85% according to US-CERT, part of the US Department of Homeland Security.

Why is This So Bad?

While viruses can be a nuisance (and often worse) to unprotected machines, the kind of attacks aimed at unpatched machines can be far worse. These are targeted at doing real damage – stealing data, escalation of privilege, releasing bots, gaining deep entry into the network, and worse.

Some of these attacks are so broad that the corporate victim can’t avoid bad publicity, loss of reputation and even loss of income. Not to mention downtime and the costs of repair.

How Patch Hacking Works

Patches are by definition publicly released, otherwise users wouldn’t be able to install them. The patch itself fixes a vulnerability, and, as a result, defines and then exposes  that vulnerability. It usually takes hackers only 1-4 days to release an exploit attacking that hole. And knowing that millions of machines won’t be immediately patched, cyber attackers have a field day.

Why is Patching So Difficult? Does It Have to Be?

Patching is hard because there are so many PCs and servers spread about. That makes it hard to even find all the machines that need patching. Now add in all the different OSes and browsers, applications, and various states of update and you have a real problem. Mobile workers make it even worse. How can you patch an end user’s device if it’s off network?

There is also more software to patch. A decade or more ago, most patches were for Microsoft operating systems, browsers and applications. Microsoft released patches once a month on Patch Tuesday and there were also automated ways to fix Windows PCs and Servers.

That was then. Now the bigger problems are Java, Adobe tools such as Reader and Acrobat, and myriad other bits of third party software. These vendors, while offering patches, have a less rigorous approach than Microsoft, and fewer, less robust automated patching tools.

In fact, Java and Adobe Reader alone account for the majority of vulnerabilities, according to recent reports, with Microsoft accounting for far less than 10%. We’ve even seen times when Oracle released over 100 Java fixes in a single month.

Just by keeping Java and Adobe tools patched, you can get rid of over three-quarters of your vulnerabilities.

Meanwhile Apple’s QuickTime and iTunes are increasingly vulnerable, with most Windows users of these tools using out of-date, unpatched versions.

The result of all these hassles? Only 36% of SMBs patch their machines, according to a Federation of Small Business survey out of the UK.

Ovum is one research house that has been sounding the patch alarm. “Customers may shy away from addressing regular patching or overdue software upgrades because they have concerns about price, time, or complexity. However, based on our conversations with customers, an ‘only as-needed’ approach to software support is short-sighted, and could expose customers to security and compliance risks, not to mention losses in employee productivity and business revenue,” wrote Ovum analyst John Madden in his “Avoiding security risks with regular patching and support services”

Gartner heartily agrees. “In the darkest woods of IT, patching third-party applications on a desktop remains a significant challenge for many organizations. Patching server OSs (Windows and Linux/UNIX) and third-party server applications also remains challenging due to fragility of many server environments. Add virtualization to the mix – and you have a full-blown slow-cooking disaster. And then you have Java…a security disaster in a league of its own,” wrote Gartner analyst Anton Chuvakin in a recent blog.

The Answer is Automated Patch Management

The good news is the answer is simple – keep your network and machines fully patched and updated.

How you chose to do so can be simple or hard. If you go the old manual route, there is a slim chance you’ll be able to identify all the needed patches on all the systems and get them installed properly.

Meanwhile you can spend your whole week trying.

The simpler, more complete route is to automate all steps in the patch process.

Ovum’s John Madden believes automation is the way customers want to go. “Once a customer has made a decision to initiate a regular software patching and maintenance program, what they want most is automated tools and support from their vendors to make such a program run as seamless as possible,” he wrote.

The first step in patch management is conducting an inventory of all your machines, even mobile devices. This asset management audit should include information on operating system and status, and all applications – with their patch and update status.

This inventory process should be regularly and easily repeatable so that new devices and software are quickly and automatically discovered – and patched.

Next the tool should gather all needed patches, and based on policies and priorities you define, automatically install them. In some cases, you may want to test the patch before deploying to avoid software conflicts, and this should be automated as well through acceptance testing and the ability to do rollback.

Reporting is the Final Touch

The best way to know that your infrastructure is patched properly is through reporting. You should be able to easily see what patches are installed and how they are performing. At the same, you should be able to spot at a glance which patches are missing. Even better, with good real-time monitoring tied to reporting, these reports aren’t just easy to create, they are always 100% up-to-date.

These reports aren’t just critical for security checks, but insuring compliance as well.

Quick Guide to Patch Types

  • Critical Update: Patches for issues considered “critical” but not security related.
  • Hotfix: These are built to quickly fix problems, and can even be a patch for specific customers.
  • Hot Patch: A patch that can be installed without shutting down or restarting the system.
  • Patch: A fix for a specific software hole.
  • Service Pack: Microsoft is most known for Service Packs, which are batches of fixes with some new features released every six to 12 months. These Service Packs roll up previous hotfixes and updates.
  • Security Update: Fixes for security problems, a term used largely by Microsoft.
  • Update: Fixes for non-security problems.
  • Workarounds: These are quick fixes for a hole without installing a patch. Most often users are told to shut down the vulnerable function.

Let Kaseya Help

Kaseya understands the difficulties of patch management, and our Kaseya VSA solution fully automates every aspect of patch management, including:

  • Comprehensive Discovery and Audit to find all devices in the first place, as well as monitoring operating details (to know what needs to be patched)
  • Policy-based Management and Control Automated Patch Deployment that you set up, controlling exactly which patches get deployed, as well as when and how to match your business’ specific needs
  • Remote Management to access and patch all devices, including off-network devices sitting on an employee’s countertop. If laptops need to powered on or powered off, VSA can automatically take those steps to ensure the patch is fully installed.
  • Real-time, comprehensive reports with drill-down and the extensive ability to use filters

Learn more about proper patch management with our piece on Patch Management Best Practices.

Don’t have time to read. Tune into our Eight Steps to Better Security Patch Management Webinar.

dougbarney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Leave a Reply

Your email address will not be published. Required fields are marked *