Patch management fact v fiction: Do you know the difference?

Marc Thaler

How well can you separate fact from fiction?

It seems like a silly question, not to mention an easy challenge to win. You may be surprised – especially when it comes to the IT security necessity of patch management.

asset2This 2011 commentary for ABC News examines the art of myth-making. Specifically, the article explores why it’s so difficult to identify myths:

“They spread at lightning speed in these days of social media, 24-hour television news, and instant global communications … And it’s so easy to do.”

Following these simple instructions, the writer says, is all it takes: “Say it often. Keep it short.”

With that in mind here are five patch management myths you may have heard. Now it’s time to debunk them.

Patching is massive undertaking
IT pros that treat patching as routine maintenance have nothing to fear. If you are diligent in treating possible vulnerabilities, patching resembles a chore rather than a lengthy, time-consuming project.

People think patching is all-encompassing. It’s not. At least not when you stay on top of it. It certainly isn’t a giant that needs to be slayed.

Rollback is vital to patching
Contrary to popular belief, rollback – automatically uninstalling patches – is not necessarily necessary. Confused? Don’t be. Rollback is only important if you are deploying an untested patch to your production network.

The reality is that you shouldn’t be deploying untested patches in the first place. When a patch is deployed, you should know exactly how it will act in your environment – because you’ve tested it.

Small businesses must have a test machine
This may seem to contradict the previous busted myth; many small businesses can’t afford to duplicate a production server for testing purposes. Creating a virtual machine (VM) that serves as a trial operating system is worth exploring.

Basically, you’re creating disposable test machines. You can’t keep them in a test environment because as soon as the trial period runs out, they’re no good. But you can re-arm them to test patches against the environment.

Again, this doesn’t create a perfect duplication of your server; there is hardware to consider. But if your financial resources are limited, virtualization comes close so you can test patches.

New patches are out and they need to be installed – now!
Slow down. Just because a patch is released, doesn’t mean you have to install it immediately.

You have time to test and research. If you can’t test it yourself, wait to hear from people who post feedback on IT security websites, blogs and forums.

Determine how long it will take to uncover the answers you need. It will help you establish the amount of time that’s on your side.

‘It can’t happen to me’
Cybercriminals want you to adopt this mentality. They’re looking for users who believe they’re too small to matter, and therefore fail to patch their systems regularly.

Hackers look for vulnerable networks; the low-hanging fruit.

You, therefore, need to raise your awareness. Dispelling common patching myths is a smart start.

Congratulations. You’re systems are already safer now that you’ve done it.