How would you prioritize the need to update Cisco routers? For instance, a recent patch release addressed a flaw that could enable denial-of-service attacks. Since a worst-case scenario wouldn't involve a malicious code execution, is there less urgency in applying this type of update?
Ask the Expert
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
It's my opinion that if there's an issue with a device and the vendor has taken the time to remediate the vulnerability with a patch, it should be applied. Although there are times when certain patches don't need to be applied right away, they should all be considered for production in a timely manner.
For those who have experienced a denial-of-service (DoS) attack, this might be a prudent patch to install with a high level of urgency. On the other hand, those who don't see DoS attacks as a significant concern or have multiple layers of security in place might decide to wait, since it might not be worth the downtime or potential disruption to business activities.
Remember, it's always important to pursue sound risk management principles in the context of patch management. Perhaps the most important way to limit patching risk is by testing patches in a QA environment before pushing out to production devices. I personally wouldn't want to patch something that wasn't first tested in a lab to consider potential production issues, especially any device running Cisco IOS and is likely crucial to the functionality of the overall enterprise network. Not wanting to patch something because you don't think the vulnerability will affect your company, however, is a mindset that needs to be altered.
If you're a company that has to uphold regulatory compliance standards, there might be times when you're being mandated to apply patches; if the company is that far behind, this patch is probably worth considering.
If you're not going to administer this patch, there's a chance that there are more that are also not on the radar to get patched. This can lead to a slippery slope of complacency. A convenient method to remedy this situation is to create a policy that updates these types of patches on a recurring basis -- say every month -- making sure to review them if they've had issues first. This way, you can knock out a few first and not have to be the first trying out this patch, and yet still have it update.
This was first published in March 2013