TNL.net is designed for modern browsers but the content is still readable in older ones. If you want to ensure the best experience, please install a browser that was developed after 2009.

tnl.net

Patching

Internet.com reports about the logic behind unpatched sys­tems. A lot of it goes to the fact that sys­tem admin­is­tra­tors are del­uged with new patches and are fed up of high level alerts on inessen­tial patches. How­ever, when a sys­tem crashes, the blame falls squarely on the shoul­ders of the sys­tem admin­is­tra­tor. In order to resolve this, two things need to happen:

First of all, there needs to be a bet­ter under­stand­ing over­all of what dan­ger secu­rity vul­ner­a­bil­i­ties rep­re­sent. When it comes down to it, it is not just the sys­tem admin­is­tra­tor respon­si­bil­ity to ensure that sys­tems are secure. If soft­ware devel­op­ers are care­ful in their imple­men­ta­tions and con­sider secu­rity impli­ca­tions of the choices they are mak­ing when design­ing and devel­op­ing soft­ware, the risk of an exploit is lowered.

Sec­ondly, there is a need for bet­ter edu­ca­tion in gen­eral. Most user nei­ther know or care about vul­ner­a­bil­i­ties. By default, most machines are not even set to auto-update. There are a num­ber of ways this can be solved. Oper­at­ing Sys­tem ven­dors like Apple, Microsoft, and Red­hat already offer an auto­mated way to apply patches to a machine. These tools should be turned on by default to ensure that “most” machines get patched prop­erly. Fol­low­ing that, com­pa­nies like Microsoft should be very care­ful when pre­sent­ing the crit­i­cal­ity of a patch and should review their processes to ensure that crit­i­cal­ity is assessed properly.

These two steps will go a long way towards solv­ing most of the prob­lems. How­ever, they will not go the whole dis­tance. This is why I believe it is impor­tant for sys­tem admin­is­tra­tors to estab­lish a patch day, a sin­gle day every week when their sole focus is on ensur­ing that sys­tems in their com­pany are secure. Not only is it good prac­tice to check your sys­tems’ vul­ner­a­bil­ity often, but in these days of increased crim­i­nal activ­ity in the online space, it is some­thing that could save a lot of money in lost time due to viruses and hacks. Some peo­ple will prob­a­bly say that to devote a full week­day (or 20 per­cent of one’s time) to secu­rity is ridicu­lous but if you account for the lost time and pro­duc­tiv­ity, it may be more worth­while to put the time into pre­ven­ta­tive care than in dis­as­ter recovery.

Originally published on March 31, 2003 in Technology . You may find related thoughts pieces under the following terms: , ,