Patch management is key
Operating systems, firewalls, routers, switches; good patch management systems are critical to keeping them running.
By John Fontana, Network World | Network World US | Published: 00:00, 08 December 2003
"We see people looking for a tool that will solve all their problems, but what you need is a process; it's not just about the tool," says Felicia Nicastro, senior network systems consultant for International Network Services, a consulting firm that kicked off a patch management service in September. Nicastro says the biggest mistake companies make is leaving out the processes, such as diligent monitoring for new patches coupled with detailed evaluation, testing, deployment and validation that a team or individual manages. "This typically isn't a task for one person. It has to involve the security group, the operations group and the developers," she says. "So what also makes patching tough is a lack of resources." Nicastro says companies need to have several pieces in place before a patch management process can be installed: network inventory, change management, configuration management, asset management, formalized record keeping, an understanding of costs, prioritization guidelines, and maintenance and communications plans. "Getting a process in place can be difficult if you don't have all these pieces together," she says. Inventory, or documenting what machines run what software, is the first step. "This might be your biggest cost," Nicastro says. "Inventory can take some time." Inventory ties into asset, change and configuration management. "If you track configuration then you know what's changed and that can help with future patching," she says. The process starts, Nicastro says, with monitoring for new vulnerabilities and available patches for everything in inventory. Once a vulnerability is identified and determined to be a threat, teams of IT, data and operations managers must work together to usher a patch through the established rollout process. A course of action and a timetable for execution, including lab testing, should be established. "Many times companies don't have the money to support a lab or duplicate environment, but at a minimum you should try to duplicate business-critical systems, say a Web server with a database back end," Nicastro says. After testing, distribution of the patch, implementation, exception handling, tracking and reporting need to be done. Nicastro says in times when patching becomes a fire-fighting exercise, companies should quarantine the worm or virus on network segments and patch using their documented processes. "The number of vulnerabilities, their exploits and the serious damage that they can do is why having a process is so important," she says. Part II of this feature can be viewed by clicking on this link.