Patch Management Reality

Posted on 2014-04-15
Last Modified: 2014-05-07
I’m after a bit of information on what happens in the real world when it comes to patch management in larger companies.

I have no experience of other companies other than the one I currently work for.  I’ve been looking into our patch management processes and have found that only windows operating systems (generally Win 7 and Server 2008) are patched (on patch Tuesday), meaning even MS Office is not patched.  I understand it can be hard to keep track of all the different types of software on employees PC’s but I was really expecting more to be patched.  

So in companies that don’t necessarily have a huge IT section, what is patched and what is left?  My concern is that software like Adobe and Quick Time that have in the past had serious vulnerabilities are not being patched and could potentially cause a security incident of some sort in the future.  I would like to go to management and say that what we are not doing enough to protect our network but wasn’t sure if this is just the norm or just how much effort is required in patching operating systems, third party applications and other software.
Question by:jdc1944
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 40002428
3rd party software, everywhere I've ever audited, is the worst. Getting better though, Java for instance, big security nightmare if it's not patched, now has an auto-updater by default. Adobe, even with the auto-updater somehow isn't patched... The OS, Microsoft in particular is much better these days, but still missing patches all the time from company to company, my own included. There are always reasons/excuses, and some are legit, but most 3rd party software like adobe, java, flash, office don't need the excuses for the most part.
The worst part about companies is who they let be the local administrators of their machines, even thous windows 7 by default doesn't place users there like before, and extra care has been taken to make sure that users can do more things safely without the need for admin. Don't allow your users to be admin's of their machines, it never ends well.
Quicktime... I haven't had to install that in a long time, if you do, then you probably have Mac's and we have virtually no Mac's, and those we do have I don't know if our users even need QT.
I would say, by and large, what you see is the norm. While we might not have every patch applies as soon as they come out, we do get them applied soon thereafter, but that isn't the case with most others.

Author Comment

ID: 40003627
Thanks for that, it's useful to know.

In your experience how is testing conducted?  I would have liked to have seen testing conducted outside of the production environment but was told we don't have any type of testing network.  Instead, patches are applied to test or development servers and all users in the IT department.  If no conflicts arise after a few weeks then it is rolled out to all live servers and the rest of the estate.  This seems to be a fair way of doing it in the absence of any test network.

Also you mention Java auto updating.  I know a few other pieces of software that also does this but does this not introduce a risk in itself by allowing updates to be applied without testing?  Or is it the case that it is better to allow auto updates to be applied and then roll them back if issues do occur rather than leaving them unpatched with known vulnerabilities?  I have often tried to update software myself but it would appear that this has been blocked as they always fail.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40003660
That sounds like a lot of organizations as well, no dedicated QA/Testing environments, or no full ones for anything other than Prod. User patches often get rolled out without testing, but production typically sees a delay so that someone can attempt to test the patches. I think things used to break a lot more before 2010 when new patches came out of the OS and some 3rd parties, but their QA and testing seems to be getting better in most cases.
JAVA, if you depend on it for your applications should undergo testing and scrutiny, but if your users only need to when surfing, auto-updating should be fine in most cases.
It's up to the individual org's to weigh the security risks, for instance, a lot of folks, like Expert-Exchange itself, were not running the latest openSSL at the time, and were not vulnerable to the Heartbleed exploit that has been making the past few weeks hell for IT all over. So in that case for some, not being fully up2date, or 2 years out of date actually, was a security "win" for them. Those cases are few and far between however.

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now