In the wake of Patch Tuesday each month, when Microsoft® releases its regular security updates, there is no shortage of blog posts about the latest fixes. Unfortunately, many of those posts are little more than a list of MS and KB numbers and a regurgitation of the security bulletin titles taken from Microsoft’s website. As for patches from other vendors, coverage is often hit-or-miss.
A web search for “security updates” indicates that there is plenty of information out there, but the number of hits can only measure quantity, not quality. Meanwhile, many IT pros have told me they feel as if they’re operating in the dark when it comes to keeping the systems on their networks up to date. They simply take it on faith that Auto Update, WSUS (Windows Server Update Services), and/or their third party patch management solution will keep them safe.
Software developers today work hard to build security into their code from the beginning, but modern programs are complex. “Black hat” hackers and attackers are always one step ahead, diligently searching for hidden vulnerabilities. No matter how hard developers try, there are bound to be security flaws that can potentially be exploited. Thus patching – the application of security updates issued by vendors of operating systems and applications – is a big part of every IT admin’s and IT security professional’s life.
With a way of automating the process, just keeping up with all the patches issued by various vendors can threaten to become a full-time job. Small and mid-sized business and enterprise networks typically run numerous applications and services on top of server and client operating systems, as well as the operating systems that power routers, switches and other network equipment. Vulnerabilities can be lurking in any of this software. Security researchers work diligently to uncover the flaws so they can be fixed before the bad guys develop exploits and release them into the wild.
For IT pros and end users, it’s a race to get patches installed before systems are compromised, but in the business environment, it’s also a delicate balancing act. Installing patches too quickly can result in unintended negative impact on the systems they’re intended to fix – as with some Microsoft updates released on August’s Patch Tuesday, one of which corrupted Exchange’s database and another of which caused Active Directory Federation Services to stop working.
It helps to have a good patch management solution. But even then, you need as much information as possible before you apply patches to your production systems. Down time results in lost productivity and, ultimately, costs the company money. Even if there are no “bad” patches in a particular batch, it’s useful to know the nature of the vulnerabilities that are being addressed and some of the details about the changes that are made to the software by the updates. Sure, you can find that out by slogging through Microsoft’s security bulletins (or the equivalent from other applicable vendors) but they aren’t always written in the most user-friendly language. That’s where this blog comes in.
My goal is to create a centralized place in cyberspace where IT pros can come to find the latest info on recently released security fixes, in plain, easy-to-understand language. We’ll provide enough information to help you make intelligent decisions without inundating you with repetitious or overly technical data that you don’t really need. We’ll follow up if subsequent installation and testing reveals that patches are causing problems. And unlike some blogs, we won’t focus exclusively on Microsoft patches; we’ll also cover important updates from other vendors.
I also want to solicit input from readers regarding the format and content of this blog – I want it to be your number one resource when it comes to staying on top of security updates. Patching might not be as glamorous as some other aspects of IT security, but it’s the foundation on which a multi-layered security strategy is built.