- Get a grip or you don't get the job
- Desktops of the future here today
- Researcher hides IE attack on Web
- Cisco third quarter 2008 channel stuffing
- Sci-Fi's goofiest gadgets and technology
Rss FeedRss Feed
Linux has proven itself to be a versatile solution across a variety of hardware architectures to support workloads ranging from basic infrastructure services to enterprise-class database deployments. Today, Linux is commonly found operating in some capacity within most larger organizations, and over time, it has captured many of the same workloads that previously were deployed aboard RISC platforms running Unix operating systems. Read IDC's report on how Oracle support differentiates itself in a commodity market.
Get the latest on storage technologies that allow IT professionals to better cope with new IT demands. Learn how storage technologies can help you successfully tackle e-Discover, regulatory compliance, green data center initiatives and the data explosion. Get all the details now.
Watch this webcast to learn in six modules how to more cost effectively consolidate your Windows servers with virtualization. This unique program allows you to pick and choose which of the six modules you would like to view or watch the entire webcast at once. Topics covered: Performance, Use Cases, Enterprise-level Support, Managing Windows Workloads, Setup and Configuration and The Future. Find out how you can simplify server consolidation within your organization today. Register below to learn more and be entered to win an Archos 605 Portable Media Player.
The list of all-too-familiar names - Nachi, Klez, Lovsan, SoBig,
BugBear, Swen, Blaster and Yaha - represents only a sampling of the most prevalent worms and viruses that slithered into corporate networks this fall. But
they all have one thing in common: Patches were readily available before most damage had been done.
So why do these intruders continue to wreak such havoc?
Because patch management is tough.
It's tough because there are too many patches and not enough time, and because exploits to announced vulnerabilities are materializing faster. (Blaster appeared only 26 days after Microsoft reported the vulnerability.)
It's tough because clients are becoming the attack targets as much as servers, fueling faster propagation and the threat of re-infection from mobile workers reconnecting to the network.
And it's not just Microsoft vulnerabilities. Although Windows seems to get the bulk of the exploits and end-user animosity, the list of targets includes routers, switches, firewalls; Unix and Linux, too.
Patching chores likely will never go away, experts say, but there are ways to address the task proactively to minimize exposure.
"Patching is the physical process," says James Williams, information delivery manager for RBC Centura Bank in Rocky Mount, N.C. "But you have to manage that process, and to do that you need some structure."
Centura has an 11-person staff as part of a computer security incident response team that maintains what Williams calls a "very systematic and very organized" patch management process. That process utilizes inventory, change-control practices and automated deployment supported by tools from Ecora, IBM/Tivoli and others.
"I might not have enough staff, but I have processes and organization that help me cover that issue," he says.
"We see people looking for a tool that will solve all their problems, but what you need is a process; it's not just about the tool," says Felicia Nicastro, senior network systems consultant for International Network Services, a consulting firm that kicked off a patch management service in September. Nicastro says the biggest mistake companies make is leaving out the processes, such as diligent monitoring for new patches coupled with detailed evaluation, testing, deployment and validation that a team or individual manages.
"This typically isn't a task for one person. It has to involve the security group, the operations group and the developers," she says. "So what also makes patching tough is a lack of resources."
Nicastro says companies need to have several pieces in place before a patch management process can be installed: network inventory, change management, configuration management, asset management, formalized record keeping, an understanding of costs, prioritization guidelines, and maintenance and communications plans.
"Getting a process in place can be difficult if you don't have all these pieces together," she says.
Inventory, or documenting what machines run what software, is the first step.
"This might be your biggest cost," Nicastro says. "Inventory can take some time."
Inventory ties into asset, change and configuration management. "If you track configuration then you know what's changed, and that can help with future patching," she says.
The process starts, Nicastro says, with monitoring for new vulnerabilities and available patches for everything in inventory. Once a vulnerability is identified and determined to be a threat, teams of IT, data and operations managers must work together to usher a patch through the established rollout process. A course of action and a timetable for execution, including lab testing, should be established.
"Many times companies don't have the money to support a lab or duplicate environment, but at a minimum you should try to duplicate business-critical systems, say a Web server with a database back end," Nicastro says.
After testing, distribution of the patch, implementation, exception handling, tracking and reporting need to be done.
Software and services for such tasks are available from vendors such as Altiris, BigFix, Computer Associates, ConfigureSoft, Ecora, HP, IBM, Loudcloud, Microsoft, Novell, PatchLink, Shavlik Technologies and St. Bernard Software.
Nicastro says in times when patching becomes a fire-fighting exercise, companies should quarantine the worm or virus on network segments and patch using their documented processes.
"The number of vulnerabilities, their exploits and the serious damage that they can do is why having a process is so important," she says.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com The Industry Standard IDG List Services |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
I think WSUS would be a good choiceBy Calvin on January 4, 2008, 3:10 pmWSUS in conjunction with GPO's can be flexible enough to meet the requirements that were described. I have several hundred servers and I am using WSUS with GPO's...
Reply | Read entire comment
Ron if you don’t mindBy Richard Linke on September 24, 2007, 10:13 amRon if you don’t mind I’d like to give my point of view on the reason WSUS may not be the best choice. I spent a lot of time reviewing patch management tools...
Reply | Read entire comment
Why not use WSUS?By Jon on April 9, 2007, 10:45 amOn the face of it, this is a perfect opportunity for WSUS. Since you didn't suggest it, I can only think that you have a good reason for not doing so. May I ask...
Reply | Read entire comment
Patching an entire server farmBy Ron Nutter on April 8, 2007, 9:43 pmUnfortunately, patching servers to keep them current and avoid problems is a cost of doing business. You should have some type of Internet connectivity to do the...
Reply | Read entire comment
How to patch old Windows 2000 servers while minimizing downtime?By Anonymous on April 5, 2007, 10:27 ami loved the article on patch management. Re: How to handle patch management. I am new to the company where i work and responsible for the patch management...
Reply | Read entire comment
View all comments