At the Calgary Public Library, the patching never ends. No, employees aren't repairing torn pages and dust jackets. Patching is the name for the job of installing small but critical updates to software on the library's computers. Many of those updates plug security holes in the Windows operating system and other software. "It is a piece of work that our staff is continually working on," says Scott Stanley, the library's manager of information technology.
Most IT managers would agree. Patches can be the key to protecting computer systems against worms and viruses, so failing to apply them promptly could lead to disaster. Yet too much haste can also bring trouble and the sheer number of patches sometimes makes the task onerous. "I don't think it's getting any easier and I think, in many respects, it's just getting more important," says Darin Stahl, research lead at Info-Tech Research Group Inc., in London, Ont.
All software developers release patches and updates for their products, but discussions about patching almost invariably involve Microsoft Corp. because of the large number of home and business computers running its operating systems and software. Hackers and virus writers often take aim at Microsoft because they know if they can find and exploit a weakness then they'll have a good chance of affecting a large number of computers or networks.
Major outbreaks of computer viruses and worms in recent years — such as the Nimda and Sobig worms — have taught corporate IT managers the importance of applying Microsoft patches, Stahl says. "We don't really see those big outbreaks any more," he says. One reason is more conscientious patching by IT staffs, he says.
About two-thirds of organizations manage software patches fairly well, says Christine Ewing, market segment manager for security and compliance at Altiris Inc., a Lindon, Utah-based maker of software that helps manage the patching process. But those who don't are leaving themselves open to such risks as productivity loss, network downtime, big IT cleanup bills and damaged reputations with customers and partners if systems go down or security is breached.
Though failing to patch known security problems can be dangerous, IT managers can err in the other direction, too. When companies first saw the importance of patching, Stahl says, "as soon as the vendor delivered security patches, IT would apply them as fast as they could to everything they had." But most companies' computing setups are complex and patches can cause conflicts. An update designed to fix one particular program, for example, might cause problems for other programs or systems that interact with it. So today, Stanley and many other technology managers test patches on one machine before distributing them widely.
The problem now is that the number of patches coupled with the need to make sure they will not cause problems, makes it nearly impossible to keep up. "There are at least 130 new vulnerabilities a month," says Michael Murray, director of vulnerability research at San Francisco-based nCircle Network Security Inc., which helps customers manage patches.
This kind of pressure is driving companies to try to ease the load for customers. Microsoft, for example, delivers patches in monthly batches on the second Tuesday of each month — a day that has come to be known as "patch Tuesday" in technology circles. The company also ranks patches by importance — critical, important, moderate or low. "What customers were telling us before was that the random nature of just releasing updates caused a lot of disruption in their business," says Derick Wong, senior security product manager at Microsoft Canada Co. in Mississauga, Ont.
Microsoft also provides tools to help manage patching including Systems Management Server (SMS) for larger companies and Automatic Update, a service aimed mainly at consumers and small businesses that downloads and installs patches automatically (it can be set to ask the computer user before installing the patch).
Stanley says SMS helps the Calgary library manage updates to Microsoft software. The library also keeps its patching load down by running some of its software on central servers and using software from Citrix Systems Inc. that turns PCs into terminals. With the software located centrally, Stanley explains, there are fewer machines to patch.
Several companies offer separate tools to help with patching. For instance, nCircle guarantees that within 24 hours of Microsoft advising customers of a security vulnerability, it will issue software "signatures" to help customers find every machine that contains the problem. nCircle offers similar services for other major software vendors' products but without the 24-hour guarantee, Murray says.
Altiris provides a suite of computer management tools that includes the ability to download, distribute and track software patches for multiple suppliers' software. Zenworks, from Novell Inc. of Provo, Utah, goes a step further. It has a comprehensive set of management tools that incorporates patch management. Ross Chevalier, chief technology officer at Novell Canada Inc. in Toronto, says Novell gathers patches from multiple vendors and tests them to make sure they don't interfere with each other. Zenworks also helps Novell customers maintain standard PC configurations, which simplifies the patching process.
While such tools help patching will always require some time and effort. It's worth it, though. "Patch management is a lot like taking out insurance," Stahl says. "It's kind of costly and there's no immediate benefit, but when bad things start to happen, boy, oh boy, are you glad you made that investment."
72
