Cyber Eye: Patch management is a full-time job
- By William Jackson
- Mar 05, 2003
It didn't have to happen. There has been a patch available since last summer for Sapphire, the worm that spread rapidly in January by exploiting a Microsoft SQL Server vulnerability.
This must be the umpteenth time that careless software patching habits caused grief for network administrators around the globe.
Agencies are about to get some help from the Federal Computer Incident Response Center's Patch Authentication and Distribution Capability, a free service launched before FedCIRC's transition from the General Services Administration to the Homeland Security Department.
PADC tests new patches and hosts them on secure servers for its customer agencies to download. Those that sign up must profile their systems in detail before they can be notified of specific patches and other fixes.
Helpful as notification is, it does only half the job of patch management'the last half. The first half is thoroughly exploring and documenting systems in advance.
PADC is a passive service. It does not scan or do any discovery about an agency's system. It does not install or update software, and it cannot document those actions. It relies on the agency-supplied profiles to warn of new vulnerabilities and patches. For PADC to be effective administrators must keep their system profiles and patch records accurate.
This is a time-consuming task on large networks that constantly change because of authorized and unauthorized installation of hardware and software.
Even the most diligent administrator can be surprised by undocumented legacy segments on a network. That's one of the things that makes patch management so challenging in the first place.
Those in charge of networks know tools are available. What too often keeps them from using the tools is lack of time, funding and staff. Unfortunately, upgrades and expansions and other responsibilities take precedence on the to-do list.
In the end a boss somewhere determines whether an administrator will have enough resources to manage the assets.
Ironically, Sapphire hit even Microsoft Corp. Not all of its SQL Server databases had been patched. Odds are, the company's sysadmins weren't ignorant of the patch's existence, just unaware of all the SQL Server copies running on their networks.
William Jackson is freelance writer and the author of the CyberEye blog.