Critical Updates for IT Systems
Excerpt from :
Compliance Patch Level
The author of this report has been tasked with discussing the overall subject of patch compliance level. Indeed, the pros and cons of using the patch compliance level framework will be assessed. There will also be an assessment of several critical things such as the patch compliance level of a given patch, what level of patch compliance is safe and what needs to be considered when evaluating the current patch compliance level. Patching is very much a security-related matter and helps both system and network administrators to keep their systems completely up-to-date and as safe as possible from vulnerabilities and hacking attacks. Not applying and installing needed patches to software such as operating systems, firmware, device drivers, databases and so forth can leave an enterprise information technology environment susceptible to attack. While the deployment of patches should be planned and deployed carefully, it is very important to deploy them immediately and completely and the entirety of the process and progress should be monitored.
To be sure, it is insanely important for computer hardware and software to be as updated and modernized as possible so as to protect computer systems and data from hackers. However, not all patches are safe or complete and indeed some are actually hazardous to install. On the other hand, many to most patches should be installed right away without fail. While patches should generally be installed and kept up with fervor, every patch to a system needs to be assessed and contemplated before it is applied to an IT framework lest it create more problems than it solves. Even information technology professionals can get a little desensitized to all the patches and updates that are applied to their system. There are many government agencies that are literally still running Windows XP, the Internal Revenue Service among them. However, even the most complacent information technology professional will get rocked a little bit when they learn that a pervasive protocol like Secure Socket Layer (SSL) gets hacked. Precisely that was revealed when news about "HeartBleed" came out in the news (Codenomicon, 2015). Given that, patches should generally be installed right away and the patch compliance level of said patches needs to be closely monitored.
Even so, just installing patches without inspecting them first can lead to headaches and other problems. At the same time, having a spate of vulnerabilities can lead to a frenetic situation for an information technology professional. A real-world example of this was realized when Java had a string of related yet different vulnerabilities that came out into the public eye in early 2013. As described by Tech Republic, even with the massively publicized issues, there are a lot of companies that just are not keeping up. For example, Tech Republic assessed roughly six thousand organizations and found that roughly forty percent did not have the important and recent patches that they probably should have. As such, their patch compliance level was/is obviously very poor (Reenen, 2013).
As already noted, however, patches are not always what they seem and they are not always the solution to a problem. This could be because the patch is not applicable, it could be because it is not needed or it could mean that the patch may not meet the proper standards to deploy into an information technology hardware and/or software workspace. However, this is extremely rare and patches should generally be applied immediately upon release (SANS, 2015). One upside to a patch compliance level system is that patches can be assessed and analyzed based on whether they fix the problem they purport to fix, whether the patch would create any new problems and so forth. Once that is figured out, the patch can be deployed and it can be verified that end users are accepting the patch as they should be. Once it is verified a patch should be installed, it is extremely important that this happen as soon as possible (Lavasoft,...
...One downside to a patch compliance system is that even the most careful audit of a patch, what is meant to do and so forth may not be enough to catch all potential problems. In short, ensuring patch compliance does not mean the problems will go away if the patch was not complete and/or did not address the true root of the problem. If the patch does not address the actual and entire problem, no amount of patch compliance percentage will fix all of the problems. As mentioned before, even gold-standard encryptions standards like SSL can fall victim to a hack and there is often no telling how long it went on unabated before the problem was caught and what else might still be happening (Chan, 2004; Codenomicon, 2015).
A pro-to doing patch compliance is that it can be linked and joined with a partnerships with the software vendor themselves. For example, if a company is using the Oracle 10g platform, they can work directly with Oracle when it comes to software patches including why they are needed, how complete they are, whether there are other outstanding issues and so forth. They can also assist when it comes to the best ways to get the proper level of patch compliance on all of the relevant systems. The level of support rendered by vendors can vary greatly. This is true even for a single product. Indeed, a fee might be necessary to get direct support and this is more likely to be the case the older a software suite is and how long it has been since it was installed and deployed (Oracle, 2015). The downside to such arrangements is that, unfortunately, companies may not be as forthright and honest about what they know and do not know. For example, it would be interesting to know how much of a gap (if any) existed between the time HeartBleed came to light and when the leadership behind SSL actually came clean and did something about it. Even worse, it could be that the SSL power collective was completely unaware and had to be told of the issue by someone else. Regardless, the details probably don't favor the SSL powerbrokers because not knowing is bad but so is knowing something and not going public (Codenomicon, 2015). Even an immediate revelation creates a question of how the SSL management could make such an egregious error and how long the vulnerability was present before it was caught. Even so, patches should generally be deployed so that as much of the risk as possible can be fettered out and stamped out (Chan, 2004).
A pro of a software patch compliance system is that plenty of third party experts exist that can review things for themselves and offer their own assertions. A con that exists is that not all of those sources know the full and complete story and they are much more likely to get important details wrong (or omit them entirely) since they obviously would know the software as well as someone who is personally part of the company that regulates the protocol, language, software or hardware. After all, a person may think they are an expert on Java and they may catch most things (JPF, 2015). However, Oracle would (and should) know more than anyone as they are the company that owns the rights and the power when it comes to Java. Given the above, it is important to include information from the software vendor themselves as well as information from the outside so that the most completely picture possible is painted and portrayed. This allows for a more complete picture and definition of whether a patch passes muster and thus should be deployed. Once again, patch compliance is important but it is not a cure-all (Chan, 2004; Oracle, 2015).
Regardless, one pro of a patch compliance system is that there can be a final testing of the patch before it is fully deployed but after all other relevant details have been discovered. Getting it out there and getting the patch compliance at a high percentage is very important but it needs to be tested first. A downside to this part of patch compliance level management is that it is not always possible to replicate the production environment when it comes to testing. Even so, the production and primary environment should mirror the test environment as much as is reasonably possible. This heightens the chance that problems with the patch that are compliance- or operations-related will be identifiable before the patch is put into production rather than after the fact. One pro-when it comes to patch compliance level is that the implications of deploying a patch can usually be figured out in advance based on the prior steps mentioned (Microsoft, 2006). However, there can always be issues and problems that are not known until it is too late. However, massive and seismic complications are typically rare and thus should not generally present an issue (Chan, 2004).
A con of the patch compliance level management process…
Sources Used in Documents:
Cite This Essay: