In an online survey conducted earlier this summer by Forrester Research Inc., a Cambridge, Mass.-based consultancy, found that of 118 IT managers using patch-checking tools and consistent policies -- such as prioritizing incoming patches – all are able to meet their patching deadlines or miss them by just a few days. Those without tools or procedures fall far behind.
The study, called "The State of Operating System Security 2007," was released in June by Forrester analyst Jennifer Albornoz Mulligan. It found that IT managers without patching procedures and tools get their systems patched an average of 19 days later than their company's patching deadline policies call for.
The survey also found that:
- 8% of IT managers don't check patch compliance levels at all.
- 25% do not harden all their Web-facing servers.
- 17% do not know their company's patching timeline.
- 25% do not know how long the patching process actually took.
And while 30% of IT managers surveyed apply patches immediately, 86% take three months to install them.
Good examples of standing procedures that smooth the patching process are those at Inergy Automotive Systems, an automotive parts manufacturer in Troy, Mich. The IT department there starts with a testing cycle three to five days after the patch is released, according to Arun DeSouza, Inergy Automotive's chief information security officer.
If the patch is successfully tested, it gets approved the following Monday by the IT department's Weekly Change Control Board conference call, which DeSouza said he created in 2003 to better communicate with everyone in IT. Patching is only one subset of the topics that the group discusses at the weekly meetings.
The companywide patching process is usually completed within one to three days of its approval, which ends the approximately 10-day patching window, he said.
The IT department normally uses Microsoft's Systems Management Server, which pushes out the patches and checks for unpatched computers.
Forrester's survey also said 57% use an automated method to check for patch compliance, while another 37% check manually. In addition, 8% don't check at all and another 3% don't know how or if their company checks patch compliance, according to the survey.
The good news is that there were some IT managers who had reduced their patching window to within 48 hours of a patch release by using tools and specified practices that make a difference, Mulligan said.
Every Tuesday, said Chris St. Amand, a network technician at the Visiting Nurses Association & Hospice of Colley Dickinson in Northampton, Mass., his IT department pushes out critical patches through Group Policy settings on its Windows Server 2003. Those settings, as well as the use of Microsoft's free Windows Server Update Services, or WSUS, and AutoPatcher, a free offline Windows Update tool, make ensuring all necessary patches have been applied a fairly painless process, St. Amand said.
With free tools and common sense procedures available to all IT managers, Mulligan said she was surprised at the different points in the patching spectrum.
"There were people we surveyed who had the patching process down to a 48-hour period, so it's possible to do a great job," Mulligan said. "And while the median showed that a lot of people are doing a fair job, I was surprised at the amazingly atrocious job some people do in the patching process."