Understanding Patch and Update Management
Thursday, January 29, 2004
Posted by: Michael K. Wons, Microsoft Corporation
Understanding Patch and Update Management:
Microsoft's Software Update Strategy
Courtesy of Michael K. Wons, Microsoft Corporation
Michael K. Wons presented this topic at the recent AITP National Conference.
With more devices and mobile users accessing corporate networks, a consistent stream of security patches from software and hardware vendors, expanding footprints for systems and applications, almost daily identification of new security threats, and a much more sophisticated hacking community, IT professionals face immense challenges in implementing an effective software update and security patch management strategy.
This white paper reviews recent security trends that exemplify the need for strong patch and update management methodologies. It also examines various initiatives within Microsoft that promote secure software through stronger development processes as well as streamlined patch and update communications and delivery mechanisms. Finally, it discusses patch and update management tools including future releases meant to simplify the overall patch and update management process.Security Trends
According to industry analysts at Forrester Research, for example, there will be 35 million remote users by 2005 and 14 billion devices on the Internet by 2010. These interconnection paths are potentially susceptible to access by unauthorized individuals. According to the Computer Security Institute (CSI), the results of the 2002 CSI/FBI Computer Crime and Security Survey indicate that "The threat from computer crime and other information security breaches continues unabated and the financial toll is mounting."
Ninety percent of the CSI/FBI survey's respondents detected computer security breaches in 2002. Of those security breaches, 95 percent occurred because of poor system configuration. About 85 percent of the survey's participants detected viruses even though most had deployed firewalls (98 percent) and anti-virus technology (99 percent). These attacks on IT infrastructures take many forms, including theft of proprietary information, financial fraud, worms, viruses and net abuse by employees.
According to the CERT Coordination Center, a center of Internet security expertise located at Carnegie Mellon University, "Most intrusions result from exploitation of known vulnerabilities, configuration errors or virus attacks where counter measures were available, including most major Internet worm/virus events. Countermeasures are available for most exploited vulnerabilities, but are they deployed? For systems and networks impacted by these events, the answer is generally 'no' or 'not consistently.'"
For example, Forrester Research recently observed that for nine recent security exploits affecting Microsoft environments, on average, software patches were available weeks or months in advance of the worm/virus event. The Cost of Vulnerable Corporate Assets
CERT calculates the financial damage from these security intrusions worldwide at around $15 billion annually. Of the 90 percent of CSI/FBI survey respondents detecting computer security breaches within the last year, 80 percent acknowledged financial losses. Forty-four percent - those companies that could quantify the loss - reported $456 million in losses. With so much at stake, security requires a commitment of resources - financial, human and technological - to an enterprise-wide program.
Ensuring that the latest software updates, particularly security patches, are applied consistently across the enterprise - small, medium, or large - has become an increasingly important part of that enterprise-wide system management and security program.Protecting the IT Infrastructure
Security management refers to what an organization or IT department can do operationally to manage and mitigate risk across the computing environment. Increasingly, improving security means improving systems management. Consistent, repeatable processes, reliable auditing and reporting against policy, and effective change control can drastically reduce the level of uncertainty and risk throughout the IT infrastructure. And, as the security trends discussed previously indicate, an effective security management strategy must ensure that software remains up-to-date and as fully protected as possible from worms, viruses and other information security breaches.
By implementing an effective security management strategy, organizations reap the following business benefits:
- Reduced downtime and costs associated with non-availability of systems and applications
- Reduced labor costs associated with inefficient security update deployment
- Reduced data loss due to destructive viruses or information security breaches
- Increased protection of intellectual property
Microsoft, through a variety of security initiatives, offers products, resources, prescriptive guidance, training and partners designed to help customers keep their IT infrastructures healthy and to enjoy the benefits and peace of mind a secure computing environment brings. Trustworthy Computing Frames Microsoft's Security Initiatives
Microsoft's Trustworthy Computing initiative, announced by Bill Gates in January of 2002, is a long-term initiative for the company focusing on four key tenets: security, privacy, reliability and business integrity.
The Security effort is driving toward the following:
- Improve and simplify the patching experience to help its customers keep all of their systems protected and up-to-date
- Provide security guidance to help customers deploy and operate Microsoft products as securely as possible
- Innovate on safety technologies that will make Windows-based computers more resilient to attack, even when patches are not installed
- Improve the quality of software through the Trustworthy Computing Development Process, to reduce vulnerabilities before the software ships
Please visit www.microsoft.com/security for more information.