Sign Up Now
Get instant access to over 1 million+ study documents
OR
Already registered? click here to login
By creating your account, you agree to our terms of service, privacy policy and student honor code.
Compliance Patch Level
The author of this report has been tasked with discussing the overall subject of patch compliance level. Indeed, the pros and cons of using the patch compliance level framework will be assessed. There will also be an assessment of several critical things such as the patch compliance level of a given patch, what level of patch compliance is safe and what needs to be considered when evaluating the current patch compliance level. Patching is very much a security-related matter and helps both system and network administrators to keep their systems completely up-to-date and as safe as possible from vulnerabilities and hacking attacks. Not applying and installing needed patches to software such as operating systems, firmware, device drivers, databases and so forth can leave an enterprise information technology environment susceptible to attack. While the deployment of patches should be planned and deployed carefully, it is very important to deploy them immediately and completely and the entirety of the process and progress should be monitored.
Analysis
To be sure, it is insanely important for computer hardware and software to be as updated and modernized as possible so as to protect computer systems and data from hackers. However, not all patches are safe or complete and indeed some are actually hazardous to install. On the other hand, many to most patches should be installed right away without fail. While patches should generally be installed and kept up with fervor, every patch to a system needs to be assessed and contemplated before it is applied to an IT framework lest it create more problems than it solves. Even information technology professionals can get a little desensitized to all the patches and updates that are applied to their system. There are many government agencies that are literally still running Windows XP, the Internal Revenue Service among them. However, even the most complacent information technology professional will get rocked a little bit when they learn that a pervasive protocol like Secure Socket Layer (SSL) gets hacked. Precisely that was revealed when news about "HeartBleed" came out in the news (Codenomicon, 2015). Given that, patches should generally be installed right away and the patch compliance level of said patches needs to be closely monitored.
Even so, just installing patches without inspecting them first can lead to headaches and other problems. At the same time, having a spate of vulnerabilities can lead to a frenetic situation for an information technology professional. A real-world example of this was realized when Java had a string of related yet different vulnerabilities that came out into the public eye in early 2013. As described by Tech Republic, even with the massively publicized issues, there are a lot of companies that just are not keeping up. For example, Tech Republic assessed roughly six thousand organizations and found that roughly forty percent did not have the important and recent patches that they probably should have. As such, their patch compliance level was/is obviously very poor (Reenen, 2013).
As already noted, however, patches are not always what they seem and they are not always the solution to a problem. This could be because the patch is not applicable, it could be because it is not needed or it could mean that the patch may not meet the proper standards to deploy into an information technology hardware and/or software workspace. However, this is extremely rare and patches should generally be applied immediately upon release (SANS, 2015). One upside to a patch compliance level system is that patches can be assessed and analyzed based on whether they fix the problem they purport to fix, whether the patch would create any new problems and so forth. Once that is figured out, the patch can be deployed and it can be verified that end users are accepting the patch as they should be. Once it is verified a patch should be installed, it is extremely important that this happen as soon as possible (Lavasoft, 2013). One downside to a patch compliance system is that even the most careful audit of a patch, what is meant to do and so forth may not be enough to catch all potential problems. In short, ensuring patch compliance does not mean the problems will go away if the patch was not complete and/or did not address the true root of the problem. If the patch does not address the actual and entire problem, no amount of patch compliance...
As mentioned before, even gold-standard encryptions standards like SSL can fall victim to a hack and there is often no telling how long it went on unabated before the problem was caught and what else might still be happening (Chan, 2004; Codenomicon, 2015).
A pro-to doing patch compliance is that it can be linked and joined with a partnerships with the software vendor themselves. For example, if a company is using the Oracle 10g platform, they can work directly with Oracle when it comes to software patches including why they are needed, how complete they are, whether there are other outstanding issues and so forth. They can also assist when it comes to the best ways to get the proper level of patch compliance on all of the relevant systems. The level of support rendered by vendors can vary greatly. This is true even for a single product. Indeed, a fee might be necessary to get direct support and this is more likely to be the case the older a software suite is and how long it has been since it was installed and deployed (Oracle, 2015). The downside to such arrangements is that, unfortunately, companies may not be as forthright and honest about what they know and do not know. For example, it would be interesting to know how much of a gap (if any) existed between the time HeartBleed came to light and when the leadership behind SSL actually came clean and did something about it. Even worse, it could be that the SSL power collective was completely unaware and had to be told of the issue by someone else. Regardless, the details probably don't favor the SSL powerbrokers because not knowing is bad but so is knowing something and not going public (Codenomicon, 2015). Even an immediate revelation creates a question of how the SSL management could make such an egregious error and how long the vulnerability was present before it was caught. Even so, patches should generally be deployed so that as much of the risk as possible can be fettered out and stamped out (Chan, 2004).
A pro of a software patch compliance system is that plenty of third party experts exist that can review things for themselves and offer their own assertions. A con that exists is that not all of those sources know the full and complete story and they are much more likely to get important details wrong (or omit them entirely) since they obviously would know the software as well as someone who is personally part of the company that regulates the protocol, language, software or hardware. After all, a person may think they are an expert on Java and they may catch most things (JPF, 2015). However, Oracle would (and should) know more than anyone as they are the company that owns the rights and the power when it comes to Java. Given the above, it is important to include information from the software vendor themselves as well as information from the outside so that the most completely picture possible is painted and portrayed. This allows for a more complete picture and definition of whether a patch passes muster and thus should be deployed. Once again, patch compliance is important but it is not a cure-all (Chan, 2004; Oracle, 2015).
Regardless, one pro of a patch compliance system is that there can be a final testing of the patch before it is fully deployed but after all other relevant details have been discovered. Getting it out there and getting the patch compliance at a high percentage is very important but it needs to be tested first. A downside to this part of patch compliance level management is that it is not always possible to replicate the production environment when it comes to testing. Even so, the production and primary environment should mirror the test environment as much as is reasonably possible. This heightens the chance that problems with the patch that are compliance- or operations-related will be identifiable before the patch is put into production rather than after the fact. One pro-when it comes to patch compliance level is that the implications of deploying a patch can usually be figured out in advance based on the prior steps mentioned (Microsoft, 2006). However, there can always be issues and problems that are not known until it is too late. However, massive and seismic complications are typically rare and thus should not generally present an issue (Chan, 2004).
A con of the patch compliance level management process is that having disparate and different people involved in…
References
Blue, V. (2015). New report: DHS is a mess of cybersecurity incompetence -- ZDNet. ZDNet.
Retrieved 21 October 2015, from http://www.zdnet.com/article/new-report-the-dhs-is-a-mess-of-cybersecurity-incompetence/
Chan, J. (2015). Patchmanagement.org. Retrieved 16 October 2015, from http://www.patchmanagement.org/pmessentials.asp
Codenomicon. (2015). Heartbleed Bug. Heartbleed.com. Retrieved 21 October 2015, from http://heartbleed.com/
Dadzie, J. (2005). Understanding Software Patching - ACM Queue. Queue.acm.org. Retrieved 16 October 2015, from https://queue.acm.org/detail.cfm?id=1053343
OpenDNS Blog. OpenDNS Blog. Retrieved 21 October 2015, from https://blog.opendns.com/2013/10/08/top-ten-important-cyber-security-tips-users/
Private Email Server. Independent Journal. Retrieved 16 October 2015, from http://www.ijreview.com/2015/09/413341-hillary-clinton-personally-paid-state-department-aide-manage-maintain-private-email-server/
Story. Retrieved 21 October 2015, from http://bigstory.ap.org/article/5a24a6f6ea634228b8ee326a889298fa/data-breaches-bad-news-can-show-well-down-road
PCWorld. Retrieved 21 October 2015, from http://www.pcworld.com/article/2972976/security/microsoft-pushes-emergency-update-for-internet-explorer-vulnerability.html
Retrieved 21 October 2015, from http://www.javaprogrammingforums.com/
October 2015, from http://www.lavasoft.com/mylavasoft/company/blog/patches-and-updates%E2%80%A6-are-they-really-necessary
TechCrunch. Retrieved 21 October 2015, from http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/
Manageengine.com. Retrieved 21 October 2015, from https://www.manageengine.com/products/desktop-central/patch-deployment.html
Retrieved 21 October 2015, from https://technet.microsoft.com/en-us/library/cc512589.aspx
October 2015, from http://www.oracle.com/us/support/lifetime-support/index.html
NHS scandal. SC Magazine UK. Retrieved 21 October 2015, from http://www.scmagazineuk.com/government-should-lead-by-example-over-data-security-management-after-nhs-scandal/article/137416/
Retrieved 16 October 2015, from http://www.techrepublic.com/blog/10-things/10-keys-to-successful-patch-management/
Mapcon.com. Retrieved 21 October 2015, from http://www.mapcon.com/neccessary-computer-skills-for-college-students
SANS. (2015). SANS: Intrusion Detection FAQ: Do I "really" need to install patches to my system? I don't run the services/products that patches were issued for.. Sans.org. Retrieved 21 October 2015, from https://www.sans.org/security-resources/idfaq/patches.php
2015, from http://www.foxbusiness.com/personal-finance/2015/06/01/irs-running-13-yr-
Systems Design Project Change is integral to the survival of any commercial enterprise in today's globalized, technologically advanced business environment. This requires stakeholders to have personal and organizational transition skills to attain the desired change for future success (Hughes, 2006). Strategizing drives organizational change giving it direction through activities (Thornhill, Lewis, Millmore and Saunders, 2000). Internal and external environmental considerations are both relevant; along with change management required to align with
System Concepts Company Overview Complete Solutions plc (CS) is a successful organization specializing in IT consultancy business with annual turnover of £40 millions. The company is located at North of England with branches in the U.S. And France. Established in 1980, the company was taken over by a larger company, and the take-over bid led to the rapid expansion of the company. Complete Solution has several sections with approximately 400 users in
System Implementation - Oahu Base Area Network System Implementation: Oahu Base Area Network The wireless local area network (WLAN) in the Oahu Base Area Network is made up of several different subsystems. The inputs to the system will be desktop computers, laptop computers, and embedded systems (fixed and mobile). Each client has a wireless network card that can communicate with an access point (AP). The AP manages WLAN traffic and physically connects
2002). This paper's focus will be on the CPM and PERT methodologies. The Rockfest event has 26 tasks, each conveniently denoted by a letter in the alphabet. Having drawn up the Critical Path and analyzed it, I found the following. The Critical Path starts with task A, continues with B, D, E, F, G, and finally O. The time it takes to complete these tasks is 34 weeks. That is
Role-based ERP systems are critical for the siloed, highly inefficient architectures of legacy ERP systems to be made more relevant, contribute greater financial performance, and lead to higher levels of overall customer satisfaction. c. Purpose of the study The purpose the study is evaluate how enterprises who adopt role-based ERP system implementations are able to attain higher levels of financial and operations-based performance vs. those that rely on silo-based, more functionally
Systems for a Retail Store Nostalgic Record Store Information Systems Proposal Benefits and Drawbacks of Information Systems Comparison of Cost and Benefits Any new store will require a series of accounting, e-commerce, finance, customer relationship management (CRM), pricing and services applications to ensure it stays profitable. When the products being sold are highly unique, as is the case with nostalgic music, the role of these systems becomes even more critical. It is the