To have great security, you need to assemble an elite group of security experts – what we call a patch patrol — to locate, test, and install software patches in any system that may have a weakness. Don’t treat this as drudge work and assign your least capable programmers to the task. They will not be able to do the job. Fund this team adequately and give them the tools they need to succeed.
Now set your patch patrol in motion. They should begin by checking the vast array of independent and vendor-supported security Web sites, newsgroups, and mailing lists that have sprung up in recent years. Continuous monitoring of these sites will not only help educate your team and improve their skills, it will also provide an early warning of new and dangerous hacker exploits. Monitoring vendor Web sites is important because most vendors are not anxious to publicize their newest security patches since this reflects poorly on their products. You must be proactive in seeking such information.
Next, your patch patrol should conduct a top-to-bottom audit of your networked IT assets — software applications, operating systems, computer systems, routers, modems, the whole bit. With this inventory in hand it’s a fairly easy process to contact each vendor and secure the patches, service packs, and hot fixes that have been issued for each system. Pay particular attention to version control. Different versions of the same software may have different vulnerabilities — requiring different patches.
Your next step involves risk management and triage. Most companies have so many security holes they have no hope of patching them all in a timely manner. Your patch patrol should not waste precious time securing low-value targets. Focus on your mission-critical systems first. In the case of legacy systems, consider retiring those that are no longer supported by your vendor. They make inviting targets.
Okay, now you’re ready to install those patches. But wait. You may violate maintenance agreements with some vendors if you install untested patches. It’s time to bring in the lawyers. They can negotiate an addendum that allows you to secure your network. However, this may require you to establish a test facility to vet some hot fixes and patches. Vendors test their service packs, but there’s no time for them to test a hot fix they developed over the weekend to plug a newly exploited security hole. You need to have this capability in-house.
Once you’ve tested the patches you can go ahead and install them. A veteran patch patrol will know to adjust default settings, make file permission changes, and do all the little things that determine whether a patch functions correctly or not. Unfortunately, many companies earn a failing grade when it comes to installation. Hackers probe for such process breakdowns and invariably find them.
Finally, put pressure on your suppliers to develop more secure software and more timely hot fixes. Tell them this is part of your purchasing criteria. Many vendors still view software security as a cost center and don’t invest the time or money needed to build bulletproof products. The more often you raise this issue, the more likely they are to respond, and the more quickly your software security will improve.