While maintaining patches for software has always been a part of software administration, the increase in deployed software has made the administration and security of software a nightmare for network administrators. As hackers and attackers focus more of their attention on taking advantage of publicly known vulnerabilities in software rather than trying to discover new vulnerabilities, it is becoming increasingly important for companies to secure themselves by installing publicly available software patches.
There are a few issues keeping software patches from being installed on vulnerable systems. These manmade issues include:
- Determining which systems may be affected
- Verifying which systems have been patched
- Patching new systems added to the network
- Patching systems that may become vulnerable after the initial patching process
- Coordinating patch installation between both the network administration and security administration staff
To address the issues holding back security patch installation, patch management vendors have built in software inventory tools to keep track of which software is running on which machine. When a security release finds a vulnerability in a specific operating system, for example, the software can easily determine which machines need to be patched.
The security patch software also can verify which systems have been patched, and which still need to be patched. BigFix and Patchlink are both agent-based patch management systems, which have software running on each individual machine that syncs up with the manager. The administrator can push a patch to all machines with a click of a button. Sometimes the patch may not install on a machine, for a variety of reasons. In this situation, the security patch software is alerted that a patch did not successfully install and the administrator can follow-up to make sure that the computer is secured. Additionally, the patch management software may push a patch out to all users; however, some users may not be connected to the network. The patch management software knows that those unconnected machines have not been patched and will patch them as soon as they are connected. Therefore, road warriors will also continually be protected from software vulnerabilities to the same degree as the internal desktops.
Who should handle patches
As companies expand their networks to include more desktops, laptops, and servers, patch management software helps to check the security by ensuring that new systems include all previously issued security patches. In the same respect, through the agent software, computers notify the manager of changes in installed software. The manager can then detect if there are patches that need to be sent out to that machine because of the new software, even though the patches have already been distributed to the other networked computers. Therefore, a computer user who may have recently upgraded to a new version of Outlook would be automatically secured with the patches associated with that Outlook version.
One of the biggest challenges for software patch management vendors is the existing overlap of patch management between network management and security management. From a sales standpoint, the patch management vendors need to accurately find who in the organization is responsible for ensuring software integrity. Patch management software has traditionally been focused on securing Microsoft software, however, vendors are continuing to expand to Linux, Unix, Mac OS, as well as, Adobe, Symantec, Sophos, WinZip, and others.
The need for a system to manage software patches is being realized, as Microsoft's Windows NT/2000 operating system alone experienced 42 vulnerabilities in 2001, according to SecurityFocus. While Microsoft hopes to reduce the amount of needed patches through its Trustworthy Computing initiative, the need will not diminish. Vendors have come to market to fill the void in managing the many software patches, and are expected to experience healthy growth. Some of the more prominent players in this space include Patchlink, BigFix, and St. Bernard.
Security Patch Management--Securing the Holes Left Behind
First published on November 15, 2002
By Jaclynn Bumback