Is patch mgmt. the best protection against vulnerabilities? Yes

Patch management is the optimal solution to protect computers against known software flaws for which vendor patches exist. Third-party products that attempt to correct these flaws solely through firewalls, anti-virus software or intrusion-prevention systems alone are not reliable, for several reasons. An operating system or application vendor that releases a patch is the only organization that truly understands the nature and extent of the flaw; thus, it is best suited to supply the solution. Many times the patch corrects more items and avenues for attack than are known outside of the vendor, including knowledge supplied by the person(s) who originally found and reported the flaw. Because the vendor has access to the source code, it can identify each component of the operating system or application that might be affected, and it can update the relevant bits of code to prevent the flaw in each instance.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Patch management is the optimal solution to protect computers against known software flaws for which vendor patches exist. Third-party products that attempt to correct these flaws solely through firewalls, anti-virus software or intrusion-prevention systems alone are not reliable, for several reasons. An operating system or application vendor that releases a patch is the only organization that truly understands the nature and extent of the flaw; thus, it is best suited to supply the solution. Many times the patch corrects more items and avenues for attack than are known outside of the vendor, including knowledge supplied by the person(s) who originally found and reported the flaw. Because the vendor has access to the source code, it can identify each component of the operating system or application that might be affected, and it can update the relevant bits of code to prevent the flaw in each instance.

In some cases, it's not generally known that a patch for one item - say, a Web server flaw - might also correct a flaw in another area of the operating system, such as the desktop shell. In these instances, using an IPS or firewall to correct the Web server flaw might not protect the other vulnerable sections of code. As noted, only the vendor knows the true extent of the flaw, so the vendor is best positioned to fix the flaw.

Patches also contain the latest versions of the affected code. Many times, patches are cumulative, meaning that the latest versions of each file contain all the known security fixes. Applying a patch ensures that you're running the latest version of the vendor code, fixing public and non-public security flaws in the associated code.

As end users, we don't know exactly what was fixed in any given patch; therefore, we can't adequately create alternative solutions. Such solutions run a high risk of hindering intended functionality and/or not completely correcting the flaw through all attack vectors. A patch, on the other hand, is the vendor-supported solution that addresses all aspects of the flaw while maintaining intended functionality. Applying the patch is the only way to ensure 100% remediation against the reported vulnerability.

In short, a patch or hotfix is like medicine: It knows how to cure the root of the flaw. Third-party products might alleviate the pain, but they don't cure the actual problem. But ensuring network security through patch management is no simple task. It requires diligence to stay informed of available patches, test the patches on non-production systems, deploy the patches to all affected systems and validate that they were installed properly. Automated patch management systems can ease the chores associated with keeping your systems up to date and provide peace of mind that you're safe from associated vulnerabilities.

Firewalls, anti-virus products and IPSs are excellent solutions for their intended uses. But when combined with patch management, they become a multiple-layered, defense-in-depth strategy, critical to keeping a network secure.