Patches are a fact of life for system administrators. All systems require security updates to some extent, and managing security updates is a necessity. That does not mean that managing patches is a simple and pleasant experience. It is a process that must be grounded in a policy statement outlining your risk management objectives. After you have the policy and the process, you can start applying tools and techniques to the process. The techniques you use for managing security updates are environment dependent, but the fact still remains that you must consider how to do so.
We want to leave you with two parting thoughts. The first is that everything in this chapter is subject to your organization's information security policy. You cannot create a patch management strategy without having an information security policy to back it up. This is particularly important when it comes to protecting yourself after you had to take the servers down for patching, or if something went wrong. Having an information security policy signed by the CEO to point to can be the difference between merely having extra work and having to start working on your resum instead.
The second point is this: Consider the impact of patch management on your security. Will having all the security updates make you secure?
NOTE: Not installing security updates may significantly increase your chances of getting attacked successfully. Installing the security updates simply ensures that you are protected against that vulnerability. It is not a guarantee that you will not be attacked .
The latest versions of several common bot families, such as agobot, SDBot, Rbot, and so on, are using 5 or 6 different remotely exploitable vulnerabilities and a list of 200 to 300 common passwords. In other words, not patching will almost guarantee that you will get attacked. But unless you also pay attention to all the other things that make up security management, you may yet still find your systems managed by someone else one day.
Security is an ongoing process. However, keeping up-to-date with security updates allows you to focus on the security issues that are not due to vulnerabilities in the products you use. Think of it this way: After you have the security updates installed, you can focus on the interesting and complex problems of managing the operational security of a network, at all the wonderful levels of complexity of security management. The rest of the book investigates this process.