Archive for March, 2011

Security patch management policy enforcement

Any time you hear a story of a business experiencing a widespread virus outbreak, you have to wonder if they have an adequate security patch management policy in effect, and if they are adhering to it. A virus scanner is a first line defense to viral infections, but it certainly is not infallible. There are viruses that are capable of disabling antivirus software, and until new virus definition files are distributed, there is a window of opportunity for a virus to take advantage of the opening and spread across a network. These viruses also take advantage of unfixed security holes on the machines that they invade. All OS software has vulnerabilities, and as they are determined, they are closed off to attack by security patches that are released periodically by the operating system manufacturer.

A security patch management policy is a process in place to ensure that security patches are delivered to workstations and servers as a requirement for their use. A security patch management policy generally states that any computer in use on the network must be updated to the latest patch level that is available. The security patch management procedure can vary in its execution. In some situations, the security patch management policy may simply require each user to have their computer configured to poll for new updates and install them as they become available.

In other cases, usually in larger enterprises, there is security patch management system in place that forces the machines to accept updates from either an internal server or a push and requires no user intervention. These security patch management system can be configured to override the user and prevent them from disabling the installation of updates. This is the most secure, certain way of enforcing security patch management as it avoids a scenario where some computers may not be receiving updates. A security patch management policy has to be enforced to maintain its effectiveness.

What Kind of Patch Management Best Practice Should You Employ?

When it comes to patch management best practice methods, most of them simply boil down to automation and vigilance. Since hackers, viruses, and other cyber maladies pop up and multiply constantly, patch management best practice number one should be downloading and installing an automatic patch management program, designed to immediately install and apply any new security patches or updates to a given computerized device as soon as they become available. However, while this particular patch management best practice is of paramount importance in thwarting troublesome cyber attacks, it should be noted that not every patch management program is a one size fits all solution.

This brings us to patch management best practice number two, which is ensuring compatibility between any patch management software you download and the devices they are to be used with. To apply this patch management best practice to everyday life, simply enter the exact operating system and version of the device in question into a search engine query, as well as the phrase automatic patch management software reviews. Look over as many reviews of such software as possible, and pay especially close attention to the opinions of reputable software and technology outlets.

Patch management best practice number three is simply applying the previous two steps to any computerized device, whether it be a traditional computer or a smartphone, on a given network. The old cliche about a chain only being as strong as its weakest link is rarely truer than when it is applied to network security, as one infected device can potentially compromise the entire network and the information on it within minutes. Always make sure that any internet enabled device you have is well protected with compatible software, and the integrity of your network should be excellent for a long time to come.

Automatic and manual installation of patches

Part of secure computer life is living with patches. Patches are those annoying notices that you get from your OS about once a month that always want to reboot the computer on you after they install. If you let the patches install themselves every time you are prompted, then you are definitely doing your part to keep your computer secure. However, those operating system patches are not the only ones you need to be concerned about. There are patches for just about every piece of software on your computer. Many programs will automatically seek out these patches and notify you of when they are ready to be downloaded or installed, but many do not.

There are many cases where you might need to seek out patches by yourself and download and install them. Some applications do not possess an agent that runs on your system and checks for patches. Or, the updater agent may have been disabled on some or all programs that use one either by you, or by a corporate standard if your computer was imaged by an IT department. This might take place if there are a lot of different software suites installed on the computer and the cumulative effect of multiple agents running simultaneously could be crippling to system performance.

If you have programs that you know are provided updates by their manufacturer, then you would have to go to the web site of that company and seek out the patches, usually in the support area and under patches, updates, downloads or similar and related section of the site. These patches would then be downloaded locally to your computer, and then executed as you would any other program. If a compatible application is present, the patches will perform the update they were designed to provide and thus reduce the risk of the application being attacked by a worm or other similar hack.

Increased dependence on patches in a corporate environment

Installing patches is a simple task, not requiring any special skills or knowledge to execute proper updates. For the home user, entrusting the installation of patches to the operating system is the most common practice and is how the manufacturer of the software intends that a computer be updated when used for personal use. In the business world, patches take on a different level of critical importance. There are networks in a larger company, filled with computers that can be a breeding ground for certain types of viral infection and corporate networks are also prime candidates for hacker attacks. These facts make the need for patches to be reliably and quickly installed to all company machines a highly critical task for the IT personnel charged with that responsibility.

Allowing computers, even a few, to fall behind on their security patches exposes those computers to great risk, especially if those computers are connected to or exposed to the internet in any way. Patches correct code holes in the software on a computer that can allow attacks to execute programs on a target computer. The programs executed are not ones that are accessories to the operating system, but rather programs that are downloaded to the computer and will give the hacker up to complete control over your system, possibly even logging each key stroke and other extremely sensitive information input to and stored on the computer.

This underscores the absolute need for IT professionals to control the distribution of patches to the computers in their system and this requires the use of a patches solution above and beyond the inherent update service on the computer. The options for another solution to push patches should be well researched and a method for deploying patches should be established that can provide detailed reporting on each computer updated, as well as alerting an administrator when a deployment of patches to a machine fails.

Various options for patch management

There are various ways of handling server and desktop computer patch management scenarios, some of which require no involvement from a IT perspective and others that will require a bit of work to put in to place. The hands off scenario is the method of controlling patch management that involves activating the setting within the operating system to download and install patches with out prompting the user to do so. The patch management process happens in the background as the user operates the computer, and will only prompt them if a reboot is necessary to complete the installation.

Other options will require server hardware and a development process to design and implement a server based patch management system that will handle the updates irrespective of the local settings of the built in patch management update program on a computer. One of the main benefits of putting the effort in to creating a patch management server is the ability to approve patches before they are distributed. In most cases, all patches will need to be distributed, but in rare cases a patch may cause a known issue with some applications and holding it back from deployment may be desirable.

Also of benefit are the tracking capabilities inherent to a patch management server solution. Whereas leaving updates to the computers themselves, a dedicated server will not only ensure that updates are being properly pushed, it will also log all actions and errors for your review, allowing issues to be brought to your attention before they precipitate a critical problem. Allowing computers to perform updates on their own lacks any accountability for the patch management process and leaves much of the security of the process to hope. When it comes to critical security measures, having a solid understanding of the state of your computers is the foundation of a secure desktop environment.

The LBC!

Hey Long Beach, welcome to our web site. We bring you news, weather, financial info and other interesting articles about Long Beach, all of California and beyond.

Post Calendar

March 2011
« Feb   Apr »