Chapter 22. Security Patches and Hotfixes
| IN THIS CHAPTER
On September 9, 1945 the first software debugging event occurred. Then Lieutenant Grace Hopper found a moth trapped inside a computer system being tested (http://www.history.navy.mil/photos/pers-us/uspers-h/g-hoppr.htm). From that point forward, debugging computer programs has been standard practice. These fixes have taken on new significance in the era of security patches. No longer are patches needed to remove software bugs or defects to ensure the proper operation and stability of the software. These days the issue of ensuring that your systems have all the latest updates can mean the difference between a protected and secure system and one that is insecure and possibly infected by viruses, slowed down by spyware, and worst of all, under the subversive control of someone else. Contact a security professional in charge of a network, and she will say a foundation of basics is needed to keep a system secure. A firewall, antivirus software and antispyware on the desktops, and software patching in place are the minimum requirements you need for proper security. This chapter assumes that you have a server and workstations that have assets that you need to protect. There is data on that machine of importance; the goal is to protect that data from threats. Today, the threats to those electronic assets range from the secretary who downloads the virus-laden email, to the "script kiddie" who unleashes a worm on the Internet, to groups using phishing attacks to trick your users to get remote control software and keystroke loggers, but tomorrow those threats will be different. Software can never be 100% bug free. The favorite line of Michael Howard, Senior Security Program Manager, Secure Engineering Group, Microsoft Corporation, is "One person's feature is another's exploit." Most of the time in an SBS network, after patch management tools are in place, it's easier to deploy patches than to mitigate the exposure to the flaw. However, there might be times when, due to a line of business applications that do not support a patch, you will be unable to deploy patches. In those cases, you can use specific resources to mitigate until you can patch. Make no mistake, the best defensive posture you can make to ensure that you are protected from threats both internally and externally is not just patching systems. To be proactive, you should ensure that you have basic antivirus and antispyware software, firewalls on the inside and outside of your network, proper restrictions on user and workstations rights so that each user and computer system gets only the minimal amount of access to resources it needs, and last but not least a good dose of common sense on the part of you your end users. Patching is merely one piece of the puzzle that you must have in place. Today's threats are not just dependent on your patch status but rather are blended threats. The attackers are preying on vulnerability in one piece of software on your system for which there is no fix, typically a web browser, combined with a third-party attack tool, typically a website, that is unpatched as well. The website, although having a patch available to patch its vulnerability, has not deployed the patch. Thus the combination of the delay in patching combined with your lack of patch availability, works together. As a result, there will be times that patching isn't enough. Defense in depth will be your key. This chapter includes a variety of patch management tools, processes, and procedures, but keep in mind that after you set these up in your network, the greatest amount of your time will not be spent ensuring that your clients' computers are up to date, but that systems maintain a level of usability after the patches are applied. |
EAN: 2147483647
Pages: 253