Patch Now, Not Later

Summary
Never before have there been so many potential costly threats to your business information. Protect your business by staying up-to-date with patches for all your software programs.

Introduction
According to the CERT Coordination Center at Carnegie Mellon, 99 percent of all reported security intrusions "result through exploitation of known vulnerabilities or configuration errors." That's why patching should be on your first line of defense against security threats. However, before you automate the patching function available on your software, make sure you are up to speed on the "whats, hows, and whys" of patching.

'A fix'
A patch is a small piece of code that remedies specific problems in a file or application. The patch update is applied as a replacement, complement, or a fix to existing programming. The availability of patches removes the need to download and re-install the entire file or application.

Patch updates only modify the portion of the program code necessary to correct or enhance functionality. These corrections and enhancements range from fixing bugs, to replacing graphics, to improving the usability or performance of a previous version of software. Sometimes software vendors release patches to eliminate functionality or to prevent users from performing a certain activity. This article addresses patching for security purposes.

The Need to Patch
Hackers often target home computers in an effort to steal personal information, such as social security and credit card numbers. So you can imagine the sort of information hackers can steal if they breached your small business network. Here are some issues to consider:

Web application risks - Web applications allow users to share, create, or modify content through a Web browser. While convenient and efficient, they are prone to vulnerabilities. Web application vulnerabilities are worrisome as they can expose information publicly over the Internet. They may allow access to confidential information from databases without compromising any servers. They may also allow an attacker to circumvent traditional perimeter security measures, such as firewalls, and are particularly dangerous because they could compromise an entire network by gaining access through a single local system.

Zombies - So-called zombie computers (or bot networks) are clusters of compromised computers on which attackers have installed software, allowing them remote control. Zombies are constantly searching for new machines to infect. Unpatched vulnerabilities are the usual culprits. Symantec feels that the security threat from these attacks will only worsen, especially in financial terms. Increasingly, zombie computers are being used for financial gain. Symantec expects this trend to escalate, as the diverse means of acquiring new zombies become more prevalent.

Vulnerability window - In the last six months of 2004, according to Symantec research, the average time between vulnerability discovery and the time it took to create an exploit was 6.4 days. As demonstrated by the recent Zotob virus, the vulnerability window is shrinking. This trend is precisely why systems must be patched immediately.

Finding Patches
When vulnerabilities are discovered, developers work quickly to provide patches. Vendors issue warnings for security loopholes and advise on rolling out patches. Patches are typically available for download on developers' Web sites. IT or small business owners should subscribe to newsletters and mailing lists by software developers and act upon advisories.

Most programs allow you to update patches automatically. However, patches are not perfect. Some have caused damage. Security experts suggest regularly updating security programs, such as antivirus programs or firewalls.

If you are using a patch management tool, know exactly what the tool is patching. Even the best patch management tool might not automatically download every patch, especially for an obscure application. Patch management tools may download patches, but these tools may not actually deploy them for you. You will still need to devote time to manually approving updates. Remember, just as your system needs to be updated regularly, so too does your patching tool.

A Thorough Security Policy

• Here are a few suggestions that can serve as stepping-stones for including patching in your overall security policy:
• Keep in touch with software developers via newsletters or mailing lists.
• Determine the severity of each vulnerability. How much downtime should be allotted to patch each vulnerability? How would a security breach affect your business?
• Make time to test. Unfortunately, patches can sometimes cause more problems than they fix, so test all patches first before deploying.
• Order matters. Make sure patches are installed in the correct order.
• Consider a third-party service or patch management tool.