Smaller organizations with limited IT budgets may not be able to afford the same expensive, automated patching systems that their larger competitors use. But they don't have to get stuck with hole-ridden desktops and servers either.
Security experts say that smaller firms can easily keep all of their systems updated with the latest fixes simply by following a few best practices, by seeking out free patch resources, and by investing IT funding wisely.
"There are established best practices for patching," said Jeff Graham, a product manager with St. Bernard Software Inc., a patch management vendor in San Diego. "Those would be finding all the machines on the network, researching the patches, and testing the patches in a characteristic environment."
More best patching practices
Jon Oltsik, a senior security analyst at the Strategy Group in Milford, Mass., explained that companies with fewer than 15 employees should be able to get by without a dedicated IT staff to handle the patching process. For companies bigger than that, the rule of thumb is to employ one IT person for every 15 users.
Oltsik said that the best option for the smallest companies – those with no IT staff – is to find an employee with some technical knowledge who can regularly take some time to sit down at each desktop in the office and download the latest patches from Microsoft's Web site.
But while this manual approach is fine for tiny companies, Oltsik said it's far too time-consuming to try at larger SMBs where the issue of patching is significantly more complex. Larger SMBs are generally forced to spend at least some money to automate the scanning process and/or remotely control their patching process, he said.
Oltsik suggests that SMBs with a little money to spend look at Trent Micro's PC-CILLIN 2005, or a similar Internet security software suite. At a cost of about $50 per desktop, PC-CILLIN scans PCs and warns users when vulnerabilities pop up.. It also provides those in charge of patching with the ability to manage all PC-CILLIN clients from one central location.
When it comes to patching servers, the security analyst stresses the importance of testing configurations before implementing any new fix. This is especially true for companies that want to avoid breaking any "homegrown" applications.
"You want to create a test bed where you emulate your operational environment," Oltsik said. "You have to be pretty thorough about this every time there is a new patch, which creates some operational problems, but you have to do it."
Additionally, experts warn, before rolling out patches across the enterprise, make sure you have a "rollback plan" in case applications break unexpectedly. In other words, SMBs need to read the instructions, so to speak, and understand how to uninstall patches that lead to problems.
"Most patches now contain uninstall information and they back up the old files when they install," said St. Bernard's Graham. "So you can uninstall most of the new patches pretty safely."
The most important thing for SMBs to remember is to never ever let users patch their own machines, Oltsik said, because failing to prohibit such behavior will most certainly lead to crashed computers, broken applications and wasted time.
Jason Riggs, an associate product manager who also works for St. Bernard Software Inc., agreed that it's important to implement and enforce solid policies for who handles patches.
"Patching, if you do it ad hoc, can really wreak some havoc," he said.
Online patching resources
Staying on top of the ever-growing mountain of security updates can be a daunting. But don't worry. There are loads of free patching resources online that are designed to assist SMBs in this endeavor.
"There are some products out there that you can do patching with manually for free," Riggs said. "But as far as reporting and making sure things are in conformance, they don't give you a lot of information on that."
One of the most popular pieces of patching freeware is Microsoft Software Update Services (SUS). Microsoft SUS server is a free patch management tool designed to aid network administrators in the deployment of security updates. It's eventually expected to be replaced with Windows Update Services (WUS), which is now in beta.
Microsoft SUS server, a version of Windows Update that users can run on their networks, connects to Windows Update on the back end and provides notification of critical updates as well as automatic distribution of those updates to workstations and servers. SUS does not deploy service packs or patches to applications software such as Office, Exchange or SQL.
"The free tool that is available from Microsoft only does the OS," said Graham. "It doesn't do validation or reporting, and you don't actually do machine discovery, you just kind of lay this stuff out there and hopes that all the machines get it."
Free trial versions of patch management software can be found on the Web sites of patch management vendors like Shavlik Technologies, LLC and Ecora Software Corporation. Remember, though, these are for-profit vendors who are ultimately trying to sell software packages.
Folks looking for up-to-date information about the latest patches to various operating systems and applications, stop by PatchManagement.org and sign up for the group's mailing list.
A final piece of advice came from Strategy's Oltsik, who stressed that it is extremely important for SMBs to clearly document whatever patching policies and procedures they implement.
"You also need a policy that says when you'll patch immediately and when you won't," Oltsik said. "Otherwise, if it's left to discretion, there will always be a time when it bites you in the ass."