ControlNow
TMWhitepaper
Patch
management
Table of Contents
Introduction
3
Importance of patch management
4
Balancing security with reliability
6
Why cloud-based patch management?
7
Summary
8
FOLLOW US & SHARE Patch management: Fixing vulnerabilities before they are exploited | 3
Managing and administering software updates remains one
of the most time-consuming and resource-intensive jobs for
IT administrators. Many of them oversee IT estates at small
to mid-sized businesses and, on limited budgets, find it
increasingly difficult to keep up with today’s volume of
needed updates.
But the IT landscape continues to evolve. And as the market shift to cloud-based solutions intensifies, automating patch management through this platform both simplifies and enhances the process. IT administrators face an otherwise daunting task – oversee many, if not all, system updates. With additional daily demands on their time, unpatched software and unintended security breaches may arise. Software lacking the latest patches and version updates can compromise network security. Servers, work stations and mobile devices face greater threats from malware and hackers and data loss becomes a distinct possibility.
According to the National Vulnerability Database (NVD), a total of 4,347 new security vulnerabilities were reported in 2012 – the highest figure since 2009. The spike was, in large part, due to problems occurring within third-party applications rather than issues directly related to the Windows® operating system (OS) or Microsoft®-produced application software. It also meant nearly 12 new vulnerabilities were detected daily, compared to 9.7 per day in 2011.1
With more businesses encouraging the practice of bring your own device (BYOD), IT administrators need the flexibility that cloud-based patch management provides. From anywhere, they can monitor and manage on-premise machines and remote devices. Furthermore, administrative tasks associated with patching software updates are significantly reduced, minimizing downtime often created by patch scheduling and deployment.
Introduction
The process of keeping a machine fully patched is more critical than ever. Several key software vendors built automated update-checking into their applications. The highly developed Microsoft update service can download and, in many cases, install updates in the background without requiring user input or a system reboot. But the fact remains: Installing patches, if left solely to the user, can be overlooked, or worse, ignored. That leaves unaddressed vulnerabilities ripe for exploitation.
By virtue of being an application and OS vendor, Microsoft attracts the most attention when it comes to issuing and installing software updates. However, 86% of known application vulnerabilities are still linked to third parties. Operating systems and hardware, by comparison, account for the remaining 14%. The implications of third-party software on IT security and reliability is further challenged by browser plugins, media player codecs and other bolt-on code that works in conjunction with an existing application or system service.
Vulnerability issues resulting from the use of third-party applications are best illustrated by exploring the most targeted applications. The NVD’s 2012 data includes the top 10 most vulnerable applications (ranked by total number of targeted vulnerabilities):
Importance of patch management
1. Mozilla® Firefox 159
2. Mozilla Thunderbird 144
3. Mozilla SeaMonkey 143
4. Google® Chrome 125
5. Mozilla Firefox ESR 115
6. Mozilla Thunderbird 109
7. Apple® iTunes 102
8. Apple Safari 85
9. Adobe® Flash Player 66
FOLLOW US & SHARE Patch management: Fixing vulnerabilities before they are exploited | 5
NVD data also included the most targeted operating systems in 2012 (ranked by number of targeted vulnerabilities):
Microsoft operating systems did not monopolize the top five for the first time in years. However, they still accounted for 50% of the top 10. This confirms that mobile platforms are receiving increased attention. It also underscores the “pick your poison” mentality that many IT administrators must adopt: Forced to focus on third-party applications that account for the majority of vulnerabilities means the top programs and operating systems garner less attention, leaving them more susceptible to threats.
Importance of patch management
“86% of known
application vulnerabilities are
still linked to third parties”
1. Apple iOS 159
2. Microsoft Windows Server 2008 144
3. Oracle Solaris 143
4. Linux Kernel 125
5. Microsoft Windows Server 2003 115
6. Microsoft Windows 7 109
7. Microsoft XP 102
8. Microsoft Windows Vista 85
9. Cisco IOS 66
Various steps have been taken by operating system and application vendors to simplify the process and minimize the window during which a machine is exposed to a known application or underlying OS vulnerability. Preventative measures include integrating automated update download mechanisms and pop-up windows that alert users about the availability of a new update, and providing educational material reinforcing the need to deploy updates.
Still, such services have a weakness: They rely on users who actively connect to the Internet and allow updates to be downloaded and installed. Skype spearheaded a 2012 survey supporting this belief. The survey of US, UK and German consumers – specifically their attitude towards regularly updating software – found that 40% of adults don’t always update when prompted. To that end, nearly 25% require a second prompt before acting2.
The survey also revealed these top reasons for not updating regularly:
›
Worry over weakening the computer’s security (45%)›
Patching takes too long to complete (27%)›
A lack of understanding behind the need for patching (26%)›
Perception that a direct benefit from patching does not exist (25%)Yet even a fully patched machine can present problems for both the user and business. For example, in February 2010, Microsoft issued a patch for Windows XP, called MS10-015. The patch, intended to fix longstanding security vulnerabilities in the OS, was found to create significant system instability in certain configurations of PCs. This led to the unrecoverable “Blue Screen of Death” Windows error. The error prompted the temporary suspension of the patch from Microsoft’s Windows Update patch download service while the instability issues were investigated and fixed. For users that already installed the patch, the most prudent cause of action was to uninstall the patch and roll the system back to the previous good state.
The ability to test a patch is essential, to avoid swift remediation of software problems caused by the installation of a software update.
While other solutions exist for patch management, such as Microsoft’s Windows Server Update Services (WSUS), these solutions are usually limited in both their scope and ability to automate the patch management process. In the case of WSUS, patch management is limited to Microsoft applications and system patches issued through the Microsoft Update framework, which means third-party solutions are not addressed.
Balancing security with reliability
2Skype.com, Survey Finds Nearly Half of Consumers Fail To Upgrade Software Regularly And One Quarter of Consumers Don’t
Know Why To Update Software, July 2012
FOLLOW US & SHARE Patch management: Fixing vulnerabilities before they are exploited | 7
The integrated mechanisms for delivering patches and other software updates to applications and operating systems form just one part of the process. For any organization, the key is to deploy an all-encompassing patch management solution that can automate the process of managing patch deployment and provide quick and easy visibility of the current state of patching on all machines. Delivering patch management through a web-based user interface creates one central point of control for IT administrators. They gain a high-level view of their IT estate. They can identify, download and install patches for Microsoft and third-party applications from any location with an Internet connection. Cloud-based patch management can also take scalability into account; it is easy to expand coverage with default or customized patch management policies.
Essentially, shifting patch management to this platform drastically reduces the maintenance and administrative burdens placed on IT administrators.
The process of patch management has, over time, been complicated by the growth in operating system and application patches, along with driver updates, many of which are delivered to servers and clients via vendor-operated automated update services. Still, many haven’t undergone pre-testing to ensure broad compatibility and stability with a wide range of custom configurations for server or desktop PCs.
Patch management plays a critical role in ensuring that companies keep their IT estate up-to-date with the latest security patches and software updates, without unduly compromising reliability, productivity, security and data integrity.
A robust cloud-based solution that combines testing of patches with a single view of patches installed on machines across the company is critical for software management and IT security strategies. As part of a wider IT security policy, such a solution protects applications from unnecessary risk by handling all aspects of critical updates at the first possible opportunity.
Disclaimer
© 2014. LogicNow. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. LogicNow is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, LogicNow makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. LogicNow makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. USA, Canada, Central and South America
4309 Emperor Blvd, Suite 400, Durham, NC 27703. USA Europe and United Kingdom
Vision Building, Greenmarket, Dundee, DD1 4QB, UK Australia and New Zealand
2/148 Greenhill Road, Parkside, SA 5063 www.controlnow.com/contact
