IT Security: To Patch or Not to Patch?
Automated software updates may ultimately create security issues for organizations. Who knows what updates are being pushed to user desktops and how they are actually installed?
In recent years, the popularity of fast internet connections that are virtually always on has enabled software vendors to embed automated update mechanisms into many desktop programs. Though some users may find these updates cumbersome, most have come to accept the daily routine of updating their antivirus software and periodically installing critical Windows updates.
However, the generalization of automated software updates may ultimately create security issues for organizations. Who knows what updates are being pushed to user desktops and how they are actually installed? Who is responsible for preventing the installation of malware disguised as security tools?
Although the practice of frequent client software updates and patching is generally accepted, particularly when these updates are security related; organizations and IT administrators are often reluctant to deploy patches on production servers regardless of the frequency of their release by vendors.
In this article, we explore how the psychology and work environments of IT administrators can play a significant role in preventing the timely deployment of security updates to production servers. We also examine why users and organizations so rarely apply security patches onto servers and systems in a timely fashion. Finally, we provide recommendations to help IT staff deal with the challenges associated with patching production servers.
Administrators generally cite extremely tight maintenance windows as the main reason why security patches are not consistently applied onto production servers. In other words, administrators believe that their service level agreements (internal or external) do not allow enough time to bring down systems and apply the necessary updates and security patches.
However, even when vendors do provide a predictable patching schedule, many organizations still do not apply these patches in a timely fashion. Perhaps the reluctance to apply patches or introduce changes in a production environment is attributable to more than just tight maintenance windows?
The resistance of organizations and IT administrators to apply patches may have less to do with maintenance windows and more to do with the cost and ressources required for adequately testing changes to prevent unforeseen outages. Production environments generally perform in a highly predictable fashion, and organizations and administrators are under pressure to ensure that these systems continue to do so.
In a recent survey conducted jointly by the Independent Oracle Users Group (IOUG) and Oracle, respondents cited more time (wider maintenance windows) as the least compelling reason that would cause them to apply security updates more quickly or consistently. According to survey results, stronger motivators for applying security patches included better tools and documentation for testing and deployment, executive mandate within the organization, occurrence of a massive malware outbreak or a failed security audit. It is important to note that these responses were solicited from those responsible for the testing, deployment, or approval of security updates in their organizations production systems.
The survey provided ample opportunities for participants to include comments. One common feedback was that organizational policies for security patching are typically limited to the desktop environment. Respondents felt that security flaws addressed in security patches in production servers are generally mitigated by security measures external to the affected systems.
The most telling aspect of this survey was that respondents often expressed anxiety or even fear about altering production systems. These business-critical systems must operate in a predictable fashion, and are considered too complex to tinker with. The combination of these factors fosters a situation in which organizations are not likely to apply security patches. This creates a paradox: The importance of the systems and the expectation of their near-always availability are obstacles to properly maintaining and securing business-critical systems.
Organizations must find a way to stay reasonably current with security patches while meeting their service level agreements. The following recommendations can help organizations more efficiently tackle security patching.