Patch Tuesday is nearly upon us again. October's record onslaught of 10 Microsoft bulletins -- seven of them ranked critical -- to patch 22 flaws caused many security managers to drop everything and rush to patch. But how can you determine just how critical an update is for your organization?
Determining what to patch and when is one of the most problematic issues facing enterprises. An expert panel at the recent Information Security Decisions conference in Chicago said the ever-diminishing window of time between a vulnerability's announcement and an exploit's release makes it crucial to analyze and patch the areas most likely to be attacked first.
"I always urge folks to rate the patches themselves," said Eric Schultze, chief security architect at Roseville, Minn.-based Shavlik Technologies. "Patches are often rated arbitrarily.
"Is a 'critical' patch critical to your organization?" asked Schultze. "Look at the risk involved." For example, a denial of service is ranked as a low-level threat by Microsoft, but could be critical to an online bank, he said.
Jesse Horowitz, the technology manager at financial giant Wells Fargo, said a generic rating system is almost impossible to use because business impacts are different for every company and in different industries. He suggests assessing the business worth of the system and creating a detailed inventory so you know what is vulnerable and where it is. Also, "if an exploit in the wild has a high business impact, we would rush to apply the patch without the normal testing."
Knowing where those vulnerable systems are being used plays an important role, but, cautioned Schultze, keep in mind that desktops and Web servers are equally vulnerable to a remote exploit.
A word of caution: Don't assume your patches are properly applied. Schultze recommends looking at the patch file to verify that it's on your system. "Sometimes patches get overwritten," he said.
Added Horowitz: "Always test your system to make sure the vulnerability is actually remediated [by the patch]."