Threat management: Assessing patch rankings

By Shawna McAlearney, News Editor 28 Oct 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Patch Tuesday is nearly upon us again. October's record onslaught of 10 Microsoft bulletins -- seven of them ranked critical -- to patch 22 flaws caused many security managers to drop everything and rush to patch. But how can you determine just how critical an update is for your organization?

Determining what to patch and when is one of the most problematic issues facing enterprises. An expert panel at the recent Information Security Decisions conference in Chicago said the ever-diminishing window of time between a vulnerability's announcement and an exploit's release makes it crucial to analyze and patch the areas most likely to be attacked first.

"I always urge folks to rate the patches themselves," said Eric Schultze, chief security architect at Roseville, Minn.-based Shavlik Technologies. "Patches are often rated arbitrarily.

"Is a 'critical' patch critical to your organization?" asked Schultze. "Look at the risk involved." For example, a denial of service is ranked as a low-level threat by Microsoft, but could be critical to an online bank, he said.

Jesse Horowitz, the technology manager at financial giant Wells Fargo, said a generic rating system is almost impossible to use because business impacts are different for every company and in different industries. He suggests assessing the business worth of the system and creating a detailed inventory so you know what is vulnerable and where it is. Also, "if an exploit in the wild has a high business impact, we would rush to apply the patch without the normal testing."

Knowing where those vulnerable systems are being used plays an important role, but, cautioned Schultze, keep in mind that desktops and Web servers are equally vulnerable to a remote exploit.

A word of caution: Don't assume your patches are properly applied. Schultze recommends looking at the patch file to verify that it's on your system. "Sometimes patches get overwritten," he said.

Added Horowitz: "Always test your system to make sure the vulnerability is actually remediated [by the patch]."

Tags: Security Patch Management,  Configuration Management Planning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Configuration Management Planning Integrated change management reduces security risks EMC adds configuration management with Configuresoft acquisition McAfee to acquire Solidcore Systems for whitelisting Product Review: Shavlik's NetChk Compliance Security services: Fiberlink's MaaS360 Mobility Platform CISSP Essentials training: Domain 10, Operations Security 5 Steps for Developing Strong Change Management Program Best Practices Misconfiguration issues could have contributed to Hannaford breach Misconfigured networks create huge security risks Private sector should learn from government insecurity Configuration Management Planning Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary