No patch should be the same
There is a real gap in the market for the channel to educate businesses on the importance of vulnerability management, writes Alan Bentley
The dangers of the Kama Sutra virus may have been over-hyped this time around, but as the interval between the discovery of a vulnerability and its subsequent exploitation continues to shorten, zero-day threats are now a reality. This should prompt businesses to re-evaluate their ap-proach to assessing vulnerabilities and remediating their systems.
While some say it is a question of cost, time and resources, the main reason behind a lack of an effective patch-management process is simply insufficient knowledge. Here is a clear opportunity for the channel to educate the market.
Companies scramble to update their systems when they hear that a virus in the wild can affect business. The absence of a planned and systematic approach to software and hardware means that organisations rely heavily on the IT department and users alike to recognise security threats and apply solutions.
This approach is flawed in three ways. First, while many think that using their employees to patch every system manually will save their business money, it is actually quite the opposite. According to the Yankee Group, it can cost as much as $1m to manually deploy a single patch in a 1,000-node network. But this figure can increase dramatically if a patch is deployed incorrectly, or if it does not correspond with the particular network requirements.
The latter stems from the little-known fact that not all patches are created equal. Businesses take it for granted that patches supplied by trusted software vendors are ready to be installed, regardless of which operating systems, or other software, comprises their infrastructure. But generic, untested patches can cause equal, if not worse, damage than a virus. There is a need for a clear understanding of the network infrastructure and how each patch will affect individual systems before installing the patch across the entire network en masse.
Finally, while the process of automated patching is efficient, without the knowledge of what resources are most important to business continuity and most prone to the attack, it may as well be carried out at a snail’s pace. This is because the very systems that need to be patched may find themselves at the end of the patching queue. The only solution is for businesses to conduct an in-depth study of all IT assets and prioritise the patching process.
With all this confusion, the channel should take ownership of educating businesses and its customers on the best security practice of adopting a layered security approach.
Alan Bentley is EMEA managing director of PatchLink.