Should you patch if your security-monitoring processes are good?

The big news last week wasn’t that Microsoft released a spate of (actually, four) security patches – it was, after all, the first Tuesday of the month, the day designated for patch release. The big news was in the form of a “good news – bad news” situation.

The good news was that more of you than ever downloaded the patches from Windows Update almost as soon as they were released.

The bad news was that Microsoft wasn’t prepared for the amount of traffic generated and had to shut down while bringing extra servers on line to handle the load.

It’s really frustrating when you try to do the right thing and something beyond your control impedes or prevents you from doing so. But maybe it’s time to ask, just how important is it to a) install the patches and b) do it as soon as possible?

One person, on an e-mail discussion list I monitor, said, “I rely on other measures for my Win2k system security:

* Hardware firewall/NAT on paranoid settings.

* Serious-quality software firewalls on each machine, also monitoring MD5 checksums of connecting software.

* Stealthy Web proxies to filter out the worst on http, and I avoid IE, Outlook, and [Microsoft] Office products.

* A ‘human intelligence filter’ to try not to do the silly things a lot of people do.”

If you do all that, is security patching (as opposed to bug fix patching) really necessary?

Microsoft’s answer, and I have to agree, is an unqualified “yes!” Bug fixes for software you don’t use or rarely employ can sometimes do more harm than good. Security patches, though, should never be ignored because of the potential problems that can arise if you don’t patch and someone successfully exploits the vulnerability the patch is intended to close down.

But in order to efficiently stay abreast of the latest security patches you need to have a fully implemented patch management strategy. Microsoft has issued a guide to devising a patch management process (https://www.microsoft.com/technet/security/guidance/secmod193.mspx) that you should download, read and comprehend.

As just a taste of what to expect, the authors say that you should consider the following areas when determining the potential financial impact of poor patch management:

* Downtime

What is the cost of computer downtime in your environment? What if critical business systems are interrupted? Determine the opportunity cost of lost end-user productivity, missing transactions on critical systems, and lost business during an incident. Downtime is caused by most attacks, either by the attack itself or by the corresponding remediation required when recovering. Some attacks have left computers down for several days.

* Remediation time

What is the cost of fixing a wide-ranging problem in your environment? How much does it cost to reinstall a computer? What if you had to reinstall all your computers? Many security attacks require a complete reinstallation to be certain that back doors (permitting future exploits) were not left by the attack.

* Questionable data integrity

In the event that an attack damages data integrity, what is the cost of recovering that data from the last known good backup, or the cost of confirming data correctness with customers and partners?

* Lost credibility

What does it cost if you lose credibility with your customers? How much does it cost if you lose one or more of you customers?

* Negative public relations

What is the impact to your organization from negative public relations? How much could your stock price or company valuation fall if you are seen as an unreliable company with which to do business? What would be the impact of failing to protect your customer’s personal information, such as credit card numbers?

* Legal defenses

What might it cost to defend your organization from others taking legal action after an attack? Organizations providing important services to others have had their patch management process (or lack of one) put on trial.

* Stolen intellectual property

What is the cost if any of your organization’s intellectual property is stolen or destroyed?

Having to wait a few extra minutes, even a couple of extra hours, to download a patch is a small price to pay. Read the document, plan your strategy, sleep better at night.