Recipe to get hacked: Keep doing what you’ve always done
Been hacked? Well there is always the insanity defense! IT professionals, both in-house and out-sourced, have a validated reason for being adverse to patching operating systems. Executives have a valid reason to be adverse to upgrading operating systems from, for example, Windows XP to Windows 7. Unless you resolve the issues, or at least establish compensating controls, you are more vulnerable to attack. But doing what you’ve always done and expecting a different result (aside from being the definition of insanity) is the short route to being hacked. Here is the solution:
It is important that you make sure all users have all “high priority” and “critical” patches and updates tested and applied within hours of their release.
Internal IT professionals do not want to rush into patches since “they’ve been burned” in the past by a patch that “broke” some process’ functionality on your network—usually one of the most important processes your organization relies upon. Outsourced IT professionals are super-reluctant because, if all of their customers go down at the same time after a patch, then the outsourced company will be overwhelmed trying to get all of their customers up and running again.
Successful patch management solutions I’ve seen during the process of audits are, and these “numbers of computers on the network” are approximate and vary depending on each organization’s needs:
Less than 10 users—Keep good backups and set the computers to run automatic updates. After the second Tuesday of every month, check each computer to be sure it is up to date simply by choosing the “check for updates” option.
Between 10 and 100 users—use a centrally managed patch solution such as Microsoft’s free WSUS or one of the commercial tools that tend work better than WSUS. Alternatively, consider using an outsourced IT company to provided “managed services” that include patching and monitoring your computers. Be aware that, during audits, I often discover and record proof that some managed service providers are unaware that their patching service is failing to keep their customers up to date.
100 or more computers—Implement a successful change management process. Schedule the change management to be the top priority, akin to “dial 911” priority, right after the second Tuesday of every month. Document your change management procedures, requirements, and approval process. For even larger entities, establish and enforce policies and procedures to document all modifications, including fixes, to the applications, hardware, network configuration, and all other modifications. Include the date, location, person making the changes, the quality assessment process, testing, effects on productivity and security, and follow-up up to ensure maintained integrity.
If you elect not to apply certain patches right away, then establish another control to mitigate or eliminate the risk.
Please post your comments on this blog.