Small Business Defense – Patch Management
There are three ways to approach this problem. The most common method is to ignore it, and apply patches as time permits. The logic here is that since applying patches can often require a maintenance window, it’s hard to balance the business’s needs against the risk of an attack by an unknown party. Since an increasing number of attacks are subtle, it’s quite easy to convince yourself that it’s not a big deal, and inadvertently accept more risk than you’d like. I don’t really recommend this method.
The second method is to fully embrace the situation and fork out the cash for a full patch management system. These solutions aren’t cheap, but it does allow you to view your entire environment from a single console. This way, you basically outsource the tedious job of keeping on top of everything and use the tool to make sure that all machines on the network are kept fully updated. Now, this solutions doesn’t eliminate the need to schedule downtime to get the patches applied, but it does simplify matters significantly… at least when you are only running software that is monitored by tool.
The third method is something of a middle solution. In situations where you either lack the budget for a patch management solution or are still investigating the varied options, you can simplify the process by doing a quick audit of each of your systems and uninstalling anything that isn’t needed. The key here is system classification:
- Development systems should not directly face the Internet.
- Production systems should not have development software on them.
- Production servers should not have workstation software on them (Office, Adobe reader/flash, Web Browsers)
By eliminating all unnecessary software, you can massively reduce your attack surface. Simply put, if software isn’t there, it cannot be exploited. Now, this doesn’t eliminate the necessity to keep the software that is there up to date, but in the process of removing what’s not needed, you can get a good idea as to what is there and monitor the patch releases for those few projects. It’s not pleasant, but it is doable.