Patches and Risk Management

The four security bulletins that Microsoft released April 13 address some 20 vulnerabilities found in most Windows OSs and in Windows NetMeeting and Microsoft Outlook Express 6.0 and Outlook Express 5.5. If you haven't already inspected the security bulletins to determine how soon you should patch your systems, consider doing so sooner rather than later. Microsoft labeled six of the vulnerabilities critical and the remaining 14 important or lesser risks. Microsoft suggests that you load all critical patches within 24 hours of their release, important patches within a month, moderate patches within four months (using the patch itself, a roll-up package, or a new service pack, depending on availability), and low-importance patches any time during the next 12 months. Of course, you should use the suggested roll-out times only as a guideline--your environment and policies will better suggest your time frames for patch roll-outs.

Also last week, Microsoft published the paper "Security Management: Oh Patch How I Hate Thee; Let Me Count the Ways" by Jesper M. Johansson. In it, you'll find a description of Microsoft product patches and severity ratings, the methods Microsoft uses to make patches available, tips about how you might be able to install patches without rebooting a system afterward, and other anecdotal information. The article also mentions Microsoft Virtual PC, which you might be able to use to establish an environment in which you can test patches before rolling them out.

You probably have loads of software from other vendors, and obviously you need to stay informed about any security vulnerabilities this software might have. One tool you might consider using is Cassandra, from the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. Cassandra lets you establish profiles that contain lists of products you use or are interested in monitoring for new security risks. You can also configure your profiles so that you receive email notifications when new data becomes available about products on your lists. Cassandra searches the National Institute of Standards and Technology's (NIST's) ICAT vulnerability database and vulnerability information from Secunia, which in some cases might be more timely and more inclusive than ICAT's information. You can use a freeware tool such as Sassafras Software's KeyAudit (a software inventory and auditing utility) to help generate and update your profiles.

Check into Cassandra. It might help automate your current processes or even fill some gaps in your security risk knowledge.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.