Patch Management Reality

Posted on 2014-04-15
Last Modified: 2014-05-07
I’m after a bit of information on what happens in the real world when it comes to patch management in larger companies.

I have no experience of other companies other than the one I currently work for.  I’ve been looking into our patch management processes and have found that only windows operating systems (generally Win 7 and Server 2008) are patched (on patch Tuesday), meaning even MS Office is not patched.  I understand it can be hard to keep track of all the different types of software on employees PC’s but I was really expecting more to be patched.  

So in companies that don’t necessarily have a huge IT section, what is patched and what is left?  My concern is that software like Adobe and Quick Time that have in the past had serious vulnerabilities are not being patched and could potentially cause a security incident of some sort in the future.  I would like to go to management and say that what we are not doing enough to protect our network but wasn’t sure if this is just the norm or just how much effort is required in patching operating systems, third party applications and other software.
Question by:jdc1944
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 40002428
3rd party software, everywhere I've ever audited, is the worst. Getting better though, Java for instance, big security nightmare if it's not patched, now has an auto-updater by default. Adobe, even with the auto-updater somehow isn't patched... The OS, Microsoft in particular is much better these days, but still missing patches all the time from company to company, my own included. There are always reasons/excuses, and some are legit, but most 3rd party software like adobe, java, flash, office don't need the excuses for the most part.
The worst part about companies is who they let be the local administrators of their machines, even thous windows 7 by default doesn't place users there like before, and extra care has been taken to make sure that users can do more things safely without the need for admin. Don't allow your users to be admin's of their machines, it never ends well.
Quicktime... I haven't had to install that in a long time, if you do, then you probably have Mac's and we have virtually no Mac's, and those we do have I don't know if our users even need QT.
I would say, by and large, what you see is the norm. While we might not have every patch applies as soon as they come out, we do get them applied soon thereafter, but that isn't the case with most others.

Author Comment

ID: 40003627
Thanks for that, it's useful to know.

In your experience how is testing conducted?  I would have liked to have seen testing conducted outside of the production environment but was told we don't have any type of testing network.  Instead, patches are applied to test or development servers and all users in the IT department.  If no conflicts arise after a few weeks then it is rolled out to all live servers and the rest of the estate.  This seems to be a fair way of doing it in the absence of any test network.

Also you mention Java auto updating.  I know a few other pieces of software that also does this but does this not introduce a risk in itself by allowing updates to be applied without testing?  Or is it the case that it is better to allow auto updates to be applied and then roll them back if issues do occur rather than leaving them unpatched with known vulnerabilities?  I have often tried to update software myself but it would appear that this has been blocked as they always fail.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40003660
That sounds like a lot of organizations as well, no dedicated QA/Testing environments, or no full ones for anything other than Prod. User patches often get rolled out without testing, but production typically sees a delay so that someone can attempt to test the patches. I think things used to break a lot more before 2010 when new patches came out of the OS and some 3rd parties, but their QA and testing seems to be getting better in most cases.
JAVA, if you depend on it for your applications should undergo testing and scrutiny, but if your users only need to when surfing, auto-updating should be fine in most cases.
It's up to the individual org's to weigh the security risks, for instance, a lot of folks, like Expert-Exchange itself, were not running the latest openSSL at the time, and were not vulnerable to the Heartbleed exploit that has been making the past few weeks hell for IT all over. So in that case for some, not being fully up2date, or 2 years out of date actually, was a security "win" for them. Those cases are few and far between however.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Isolate data from the internet 11 72
How to get back into a yahoo account that has been locked out 3 76
remove randomware 8 157
Dell Analyzer Question 1 70
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question