Patch Management Reality

I’m after a bit of information on what happens in the real world when it comes to patch management in larger companies.

I have no experience of other companies other than the one I currently work for.  I’ve been looking into our patch management processes and have found that only windows operating systems (generally Win 7 and Server 2008) are patched (on patch Tuesday), meaning even MS Office is not patched.  I understand it can be hard to keep track of all the different types of software on employees PC’s but I was really expecting more to be patched.  

So in companies that don’t necessarily have a huge IT section, what is patched and what is left?  My concern is that software like Adobe and Quick Time that have in the past had serious vulnerabilities are not being patched and could potentially cause a security incident of some sort in the future.  I would like to go to management and say that what we are not doing enough to protect our network but wasn’t sure if this is just the norm or just how much effort is required in patching operating systems, third party applications and other software.
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
3rd party software, everywhere I've ever audited, is the worst. Getting better though, Java for instance, big security nightmare if it's not patched, now has an auto-updater by default. Adobe, even with the auto-updater somehow isn't patched... The OS, Microsoft in particular is much better these days, but still missing patches all the time from company to company, my own included. There are always reasons/excuses, and some are legit, but most 3rd party software like adobe, java, flash, office don't need the excuses for the most part.
The worst part about companies is who they let be the local administrators of their machines, even thous windows 7 by default doesn't place users there like before, and extra care has been taken to make sure that users can do more things safely without the need for admin. Don't allow your users to be admin's of their machines, it never ends well.
Quicktime... I haven't had to install that in a long time, if you do, then you probably have Mac's and we have virtually no Mac's, and those we do have I don't know if our users even need QT.
I would say, by and large, what you see is the norm. While we might not have every patch applies as soon as they come out, we do get them applied soon thereafter, but that isn't the case with most others.
jdc1944Author Commented:
Thanks for that, it's useful to know.

In your experience how is testing conducted?  I would have liked to have seen testing conducted outside of the production environment but was told we don't have any type of testing network.  Instead, patches are applied to test or development servers and all users in the IT department.  If no conflicts arise after a few weeks then it is rolled out to all live servers and the rest of the estate.  This seems to be a fair way of doing it in the absence of any test network.

Also you mention Java auto updating.  I know a few other pieces of software that also does this but does this not introduce a risk in itself by allowing updates to be applied without testing?  Or is it the case that it is better to allow auto updates to be applied and then roll them back if issues do occur rather than leaving them unpatched with known vulnerabilities?  I have often tried to update software myself but it would appear that this has been blocked as they always fail.
Rich RumbleSecurity SamuraiCommented:
That sounds like a lot of organizations as well, no dedicated QA/Testing environments, or no full ones for anything other than Prod. User patches often get rolled out without testing, but production typically sees a delay so that someone can attempt to test the patches. I think things used to break a lot more before 2010 when new patches came out of the OS and some 3rd parties, but their QA and testing seems to be getting better in most cases.
JAVA, if you depend on it for your applications should undergo testing and scrutiny, but if your users only need to when surfing, auto-updating should be fine in most cases.
It's up to the individual org's to weigh the security risks, for instance, a lot of folks, like Expert-Exchange itself, were not running the latest openSSL at the time, and were not vulnerable to the Heartbleed exploit that has been making the past few weeks hell for IT all over. So in that case for some, not being fully up2date, or 2 years out of date actually, was a security "win" for them. Those cases are few and far between however.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.