Patch Management – Cover the whole 9 yards

I pretty often have discussions about Patch Management with our customers. I think it is a very important discussion as I see too many customers not patching at all.

However, taking the shining examples – they often look at the Microsoft product suite “only”. You might remember that I blogged about my experience with this on my home PCs: 98% unpatched – and I am one of them :(

Now, this transfers to the enterprise business as well. If you look at our latest Security Intelligence Report, we have an interesting chart to show you the whole problem:

This chart shows the Microsoft share of the industry-wide vulnerability disclosures. What I want to show you with this chart is that our share of vulnerabilities in 1H 2008 is below 3%, which means for you if you are implementing a patch management strategy, you have to make sure that you cover the other 97% of vulnerabilities as well.

I am well aware of the fact that this does not show your risk distribution. Based on your usage of our technology as well as the fact that criminals use our platform more for attacks as there is more to gain because of the wide distribution, your risk profile will be distributed differently. However, there is no discussion that you need to cover all the products you have in place.

The actual reason, why I write this post are two articles I read today, which show perfectly what can happen if you omit the rest of your environment – including your hardware:

• Hacking The Router Patching Conundrum
• New worm can infect home modem/routers

On our website there are several good resources with regards to patch management:

• Ten Principles of Microsoft Patch Management
• Update Management
• Update Management Process

Conficker showed us again that a sound patch management process is the foundation for your defense/security/risk management strategy. So, please if you did not yet deploy security updates – please go ahead and start. The earlier the better and base it on the principles of patch management referenced above:

1. Service packs should form the foundation of your patch management strategy
2. Make Product Support Lifecycle a key element in your strategy
3. Perform risk assessment using the Severity Rating System as a starting point
4. Use mitigating factors to determine applicability and priority
5. Only use workarounds in conjunction with deployment
6. Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article
7. Test updates before deployment
8. Contact Microsoft Customer Support Services if you encounter problems in testing or deployment
9. Use only methods and information recommended for detection and deployment
10. The Security Bulletin is always authoritative

Roger