written by Chris Griesemer

Although a lot of the subject matter in this article is geared towards banks and the countless policies they are required to have, the general concept behind patch management is something every business should look into.

As I have mentioned before, I perform Information Technology exams on banks to make sure they have proper controls in place to mitigate high risk areas. Patch management is the process a company uses to make sure all software is updated. Patch management is one area I get more questions on because of the difficulty businesses have keeping their software updated.

Most of the time, businesses have Microsoft applications patched well because of the automatic update feature built into most of Microsoft’s products. The problem businesses have is keeping those third party applications updated, specifically Adobe and Java.

We use a vulnerability scanning tool created by Rapid 7 called Nexpose. The software has a unique reporting feature. It doesn’t categorize a patch upgrade as fixing one vulnerability. Instead, it explains all of the vulnerabilities that are fixed by installing the patch. For example, in April I ran a scan that reported upgrading Adobe Reader 9.4.4 to the latest version would fix 68 vulnerabilities.

The problem that most companies run into is not having the ability to make sure users are upgraded or patching their software when the little bubble shows up. And why should they? Users get bombarded with all the things they are not supposed to do. “Don’t install tool bars”, “Don’t click on pop windows”, “don’t open emails you don’t recognize”, the list goes on. Then, we expect them to upgrade Adobe and Java.

The best way to keep computers upgrade to the latest software is by using a patch management application that also patches third party software. The two applications I am aware of are Shavlik (www.shavlik.com)and GFI’s LanGuard (www.gfi.com). I have never used Shavlik but know of clients that use it and are very happy with it. I have used LanGuard before. It also has a nice feature that allows you to specify software you do not want installed on computers. If this feature is active and a user installs a restricted software, LanGuard automatically uninstalls it.

Although utilizing one of these applications is an improvement, I still recommend having an internal vulnerability scan run once a year. Please contact me for more information.

By Chris Griesemer, IT Security Specialist