By Mark Burnett
A number of years back, I owned a car with a seatbelt that automatically ran along a track and over my shoulder as soon as I closed my car door. It was one of the first of its kind and I thought it was very cool. The only problem was that you still had to manually pull the lap belt over to be completely safe (and not be decapitated in a crash). Unfortunately, the automated shoulder strap gave such a false sense of security that it was easy to neglect the lap belt.
That’s beginning to be the problem with patch management. Patch management used to be such a time-consuming, manual chore that it’s a great relief having so many tools to do it for you now. For many users, you can just turn on Automatic Updates and really not have to worry much. The only problem with this is that is makes it so easy to lapse into a false sense of security.
Home users can usually get away with this. But if you manage a network of systems for your organization, you really should spend some time knowing what’s going on with each month’s new patches.
There’s wisdom in the Knowledge Base
If you haven’t noticed, Microsoft has made some great improvements in their security bulletins and Knowledge Base articles concerning new patches. The articles used to be vague and defensive, but now are loaded with clear details outlining each vulnerability. It’s well worth the time to read these bulletins, even though you might already use a completely automated update-management solution.
These articles provide a good explanation of the security issue, offer workarounds, and explain factors that might mitigate the impact of the vulnerability. Occasionally, there are important notes that might greatly affect the impact of the vulnerability on your systems.
Sometimes, a vulnerability that’s critical for one environment may have no importance in another environment. In some cases, reading the article will make you realize you don’t even need to install the patch after all.
Creating a set of key information
Every Patch Tuesday, I have to create summary reports for various clients. It doesn’t take me long and it gives me a much greater understanding of the issues. The process is so informative that I recommend it for anyone in charge of managing more than a few systems.
Some of the information I look for is the severity rating of a patch, whether the patch requires a reboot or not, what files will be updated, what is the impact of the vulnerability, what mitigating factors might exist, and what other workarounds might be available.
After doing this month after month, I discovered some interesting facts. For example, I keep seeing the same mitigating factors and workarounds — patch after patch.
Even if the workarounds aren’t precisely the same, they follow the same best practices and are a great way to learn to think like a security expert. Another helpful benefit of understanding the issues is that it’ll be easier to recognize them if they happen to you.
Microsoft spends a lot of time now developing these articles and there’s a lot more information there to see. But a lot of people never read these useful tips because their whole patch-management process has become so automated.
Don’t let automation make you complacent
That’s the problem with many types of security — the more you automate it, the more you can forget about it. But the more you forget about it, the easier it is to pretend the problem isn’t there.