We push and pull our computers in directions they were never meant to go, all in the name of increased productivity. In return, the least we could do is defend them against viruses and worms and vulnerabilities. But we tend not to.
Properly done, patching requires a lot of commitment and thought, as the number of fixable vulnerabilities out there is staggering.
“I would say that the majority of the vulnerabilities that we are looking at today have patches that are available,” said Dan McCall co-founder of Guardent Inc.
in Waltham, Mass. That number is probably on the order of 80 to 90 per cent, he added. “Very few vulnerabilities out there in the wild…don’t have patches.”
Patching is a huge problem and it is going to get worse, said Brian O’Higgins, CTO with Entrust Inc. in Ottawa. “And we are losing and falling further behind,” he said.
To reverse the trend, you first need to get a handle on what you are up against. Once the network and its attributes are properly mapped – and going to outside for help in this is not a bad idea – it is time to prioritize the data and applications.
Peter de Jager, an IT consultant based in Brampton, Ont., said all corporate data has to be placed into a security level. Usually four levels provide enough latitude; going from top security at a need-to-know basis down to public access information.
Almost all vendors have subscription-based patching and vulnerability services. When a new vulnerability and accompanying patch is available you
will be e-mailed with a notice. O’Higgins also suggests monitoring third-party Web sites that are devoted to security. There are dozens with update bulletins, of which CERT and SANS are just two.
“Then patch based on mission critical prioritization,” McCall said. “If you don’t have the expert on staff, there are resources out there that you can tap into.”
Once a patch is deemed necessary and properly tested against your applications then, and only then, should it be installed.