Security Basics mailing list archives

Re: Third Party Patch Management

From: krymson () gmail com
Date: Wed, 25 Mar 2009 14:19:04 -0600

First, if you find a tool to do this for you, please share as I'm sure more than just me could possibly find it useful!

There are two types of tools you could look for.

1) Deployment solutions. Something like Altiris or even GPO if you're not too large works great to roll out software to 
your systems. Altiris might be borderline overkill unless you're bumping up over 200 users. But if you can afford it is 
an awesome tool (and skill!) to have.

The caveat is that *you* or your staff still need to find out when new patches or software versions are available, get 
them, test them, install them.


2) Update monitoring and inventory tools. I don't know any tools that do both update monitoring and deployment, so this 
is the next best niche, much like WSUS. I guess most of them end up being like GFI Languard where they need to have 
updates so they know what software versions are current, do a scan of your environment, and let you know when it finds 
something old. Then it is still up to you to package and deploy.

You could get by with pairing a person who checks for new versions + deployment solution + inventory solution to tell 
you what version software is installed on systems. Still, that's going to be a decent amount of work no matter how you 
slice it.


I know this can be argued, but if you have a very good process for hardware replacement, many pieces of software may be 
resilient enough to last until they are reinstalled with new hardware. This would be your own risk assessment, 
especially since even 3 years (laptops) may be too long for some issues... This decision gets better if you have decent 
IDS/IPS, web filtering, mail filtering, and reduced desktop rights for users, and even a process for your less savvy 
users (yay sales!) to "check in" with you for a manual/annual cleaning of their systems.


<- snip ->
With all the security updates to programs like Acrobat & Java, I am
interested in how the community is handling patch management practically in
small to medium sized organizations (50 to 200 computers). Microsoft Update
Server works for Windows patches but will not handle third party patches.
Microsoft System Center is nice but too expensive for this market.

What solutions are you using and how effective are they?

Thanks,

Coop

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------

Current thread:

Third Party Patch Management Al Cooper (Mar 24)
- Re: Third Party Patch Management Noah . Lance (Mar 25)
- Re: Third Party Patch Management badz (Mar 25)
- Re: Third Party Patch Management fac51 (Mar 25)
- Re: Third Party Patch Management τ∂υƒιφ * (Mar 25)
- <Possible follow-ups>
- Re: Third Party Patch Management chmod1777 (Mar 24)
  - Re: Third Party Patch Management Phil Bieber (Mar 25)
- Re: Third Party Patch Management krymson (Mar 25)
- Re: Re: Third Party Patch Management chmod1777 (Mar 26)
- Re: Third Party Patch Management aaaa (Mar 26)
  - Re: Third Party Patch Management Phil Bieber (Mar 27)
- Re: Third Party Patch Management krymson (Mar 27)