Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Admins battle 'patch fatigue' – fixing security flaws should not be this hard

John E Dunn | March 14, 2016
Patching has always been work but how much is too much?

This doesn't necessarily have anything to do with the number of security patches. RHEL issued 2,859 in 2015, Microsoft Windows 2,804, while Oracle only issued 276 for its products plus 116 for Java.

Issue 3 - Structured patching is good but critical fixes are paramount

Microsoft kicked this idea off in 2003 after XP started to buckle under sustained pressure from cybercriminals, since when most other vendors have followed suit with a monthly cycle. Cisco's is still quarterly while Apple's is intermittent. About a third of organisations would still prefer to get critical security patches out of band when they are available rather than wait until the next stop on the patching cycle. Overall, the industry has done well but the different cycles is not always helpful.

Issue 4 - Windows 10 branching has added to confusion

Microsoft's shift towards Current Branch (CB), Current Business Branch (CBB), and the Long-Term Servicing Branch (LTSB)patching for Windows 10 was inevitable given the different needs of enterprises using this software but has proved confusing. Each has its own versioning and rules - the firm even released an update buried within a general OS update - promoting 41 percent of respondents to suggest that this had made life more difficult.

"Windows 10 is a very different OS than we've seen from Microsoft in the past and the structure has thrown people for a loop right now. I don't know if we're going to see improvements of not or if people will become more accustomed to it," commented Tripwire's Tyler Reguly.

Issue 5 - bulletin quality matters

The quality of bulletins, which tells admins what to patch, how to patch it and which flaws this will resolve, are now a major factor in current patch fatigue to the extent that some now describe them as much a hindrance than a help. Vendors vary in the quality of their bulletins with Microsoft generally rated as good for providing step-by-step patching instructions and Oracle once again called out by a few respondents for the workload required to understand what is being communicated.

"There is too much click-through, 100 links on the landing page. That is a lot to go through," comments Reguly of Oracle's typical bulletin design. "It is very clear that there are some vendors who could improve their bulleting process. The one that stands out is Oracle."

Reguly argues for an industry consortium to address the bulletin issue by defining how these should be designed.

Issue 6 - Java and Flash need sorting out

A simple win when it comes to patching is simply to remove potentially vulnerable software, particular desktop components that might not even be needed. This is called reducing the 'attack surface'. Top candidates for this are, not surprisingly, Oracle's Java and Adobe's Flash, neither of which is seen as essential despite still having a strange grip on many organisations. The peak year for Java vulnerabilities was 2013, since when the number has dropped


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.