IT managers can take days to apply even the most critical patches
In a year that has seen a consistent pattern of patching on the monthly Patch Tuesday I thought that it would be interesting to see how this is impacting the sector.
Generally an effort for any business or user, 2010 has seen a common pattern of heavy and lighter loads of patches. Looking at the last four months for example, May had two patches; this was followed by ten in June, back down to four in July and now 14 announced for today in August.
There have been out-of-band releases, such as the patch released last week for the Windows shortcut vulnerability, but what has influenced such a pattern? I spoke with Greg Lambert, technology director of ChangeBASE, who commented that Microsoft would have worked hard in July to get patches developed so it can have an easier time in August. He predicted that September will see two or three patches, as less time is spent in development during August.
An automated application compatibility testing and remediation company, ChangeBASE's software helps to identify the issues that migrating to a new operating system or virtualised platform might cause for an organisation and also identifies how to fix these issues.
Among its testing processes is an analysis of Microsoft's Patch Tuesday, which identifies any issues (including security vulnerabilities) that it may cause to an organisation's infrastructure.
Lambert told me of an incident where was patch was applied without consideration for its impact and a trading floor was wiped out. He said: “We helped with the question of will a patch change anything on the application, or is there anything that the application is depending on?
“Our system takes two to three hours to propagate an email workaround and within a few hours we have a fully impact analysis. It states what needs to be tested and what to inspect more.”
He commented that it is finding that people are applying patches up to two weeks after Patch Tuesday, and no one will apply anything immediately tomorrow.
“When there are three to four patches we will find that it will take a week to deploy the patches, Microsoft also changes things in the background and that will take a week to two weeks,” he said.
This intrigued me, as surely once a patch has been released it is uploaded in order that hardware is secure and vulnerabilities are covered. Or is it a much more complex process than that?
I asked Alan Bentley, SVP international at Lumension, about the claims that patches can often take days, or even weeks to be applied. He commented that it really depends on a company's change control mechanism, as a large organisation in a server environment will need to analyse and evaluate the risk of remaining unpatched.
He said: “We are seeing risk in an environment without doing proper checks and changes are often greater than a key vulnerability remaining unpatched for a period of time.
“If a company has the technology to deliver an automated patch to deal with a vulnerable application and test correctly, the balance is between secure operations and releasing requirements. It is a security requirement to understand a vulnerability and be in a position to understand risk, and the operations team test the impact that a piece of software will have.”
Certainly a revelation to this writer, but I guess it makes sense to know what you are working with and to be sure that what you are applying is both legitimate and will not crash your system.
Lambert commented that ChangeBASE sees big organisations such as financial services companies who do not have off-the-shelf applications, and are entirely dependant on them. He said: “No one knows about the RBS internal applications other than RBS. We load the applications into the database and get a measure of the security value so know the impact. If you have a massive issue you have is make a decision and adding 14 more tasks to a big issue.”
So this moves things into a discussion on best practice when it comes to patching. Stewart Room, partner in the privacy and information law group at Field Fisher Waterhouse, said: “What you don't find in any regulatory guidance, any court cases is any statement of law that patching is a legal requirement. It does not exist anywhere. It is right that we should not face a technical failure because of security, from a legal perspective it is an issue that has not been determined.”
What interests me is that the headlines on patching only take up one week every month, but it is a challenge constantly faced by IT administrators. How you do it is up to you, but to not do it at all can be devastating.