The critical elements of the patch management process

Introduction "After the flames from the slammer's attack were doused and the technology industry caught up on its lost sleep, we started asking questions. Why did this happen? Could we have prevented it? What can we do to keep such a thing from happening again?" These are some of the questions that the security industry asks after every major security incident. Today most security incidents are caused by flaws in software, called vulnerabilities. It is estimated that there are as many as 20 flaws per thousand lines of software code. Computer Emergency Response Team/Coordination Center (CERT/CC) statistics reveal that the number of vulnerabilities reported has increased dramatically over the years, from only 171 in 1995 to 8064 in 2006. Along with vulnerabilities, the sophistication of attack tools has also advanced over time. Using the interconnected nature of the Internet and automated attack tools, attackers exploit software vulnerabilities at an alarming rate to cause serious damage to organizations. Although the ultimate solution to fix software vulnerabilities is application of patches, until a few years ago the term "patch management" was not in the general vocabulary of even the most advanced information technology staff. Today, "patch management" is not only in the common vernacular of most IT staff, but it is also one of the most essential responsibilities of IT departments. Security threats stemming from the exploitation of vulnerabilities pose serious risks to corporations, including unauthorized access to systems, corruption or modification of data, and unavailability of system resources to authorized users. Systematically applying patches to vulnerable systems through effective patch management can effectively reduce the number of security lapses. It is estimated that 95% of security breaches could be prevented by keeping systems up-to-date with necessary patches. Though recognized as important for security, many organizations do not have a clear understanding of the elements of patch management and how these elements impact the success of the patch management process.