Is Centralized Patch Management Required

D1gger

Diamond Member
Oct 3, 2004
5,411
2
76
Background on my question:

I am a business owner with about 15 PC installed in our office network. We do not have any in house IT support and contract out our network and PC support to a third party provider, who has always given us great service and the cost has been very reasonable. To date we have never had a problem with viruses or other malware (knock on wood). We are currently using Windows XP SP3 Microsoft Office 2003 or 2007 and IE V7 or 8 and some Firefox V3 and Symantec Endpoint for virus protection.

Today, we received this unsolicited proposal (quoted below) from our support company and it seems a little like overkill to me, but I really don?t have the knowledge to make a final judgment.

CLIFFS:

Consultant is recommending we install
Shavlik's NetChk Protect
--or?
ScriptLogic's Patch Authority Ultimate

Does anyone have any advice regarding if this is necessary??


**********************************************************************************************************
I want to let you know about an issue regarding computer security that is becoming increasingly important, and some options for addressing it.

The Issue: Running antivirus (AV) software on your PCs is an essential step towards keeping them free of viruses and other "malware". However, no AV software is perfect, so it's also important to keep your PC free of the vulnerabilities that malware exploit. In the past it was enough to tell users not to download unexpected files or open unexpected attachments. But while malware writers continue to target flaws in Windows itself, they also are increasingly targeting flaws in common web-based programs and files, such as Adobe Flash, Adobe Reader (PDFs), and Sun's Java, to install malware on PCs without requiring any action by the computer user.

Minimizing the Risk: Beyond keeping your antivirus software updated, the most important step in avoiding these risks is keeping up-to-date any software on your PC that might interact with web sites that you browse to. This includes Windows and MS Office, of course, but also software such as:
? Adobe's Flash, Reader and Acrobat
? Apple's QuickTime and iTunes
? Sun's Java
? RealPlayer
? Mozilla's FireFox web browser (and it's related Thunderbird email program)
While the organizations behind such software do include auto-update capabilities, these are clearly imperfect since I frequently find older versions of all these programs installed on PCs.

Solution 1: Keep Your PC Up-to-date: One obvious solution to this problem is to require that each computer user keep the software on their computer updated. For a home PC this is the only option available, though you can use free software such as Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help with the job. However, for office PCs this is, in my experience, unrealistic.

Solution 2: Use Centralized Scanning and/or Updating Software: I think the only reliable way to ensure that all office PCs are kept up-to-date is to use scanning software that works like Secunia PSI, but which is designed to scan all PCs at once. I also think that the requirements for such software should be narrowed to include only those which can automatically download and install any required updates. The has come to be known as "patch management" software.

There are many products which advertise patch management capabilities, but most can only scan for and install updates to address vulnerabilities in core Microsoft software, such as Windows and Office. I see little benefit to these latter products, since they duplicate the service provided (reasonably well) by Windows Update, while ignoring the growing need for updates to third party software from Adobe, Apple, etc.

Fortunately there are patch management products which do including scanning and updating of such third party software. However the choices are limited by the fact that all seem to use the technology of one company, Shavlik Technologies (http://www.shavlik.com). This was the company that created the first Windows vulnerability scanner for Microsoft, and Shavlik has gone on to create their own line of patch management products, as well as licensing their core technology to other companies for inclusion in their own products. These latter products tend to be large enterprise management systems, where patch management is just one feature among many. This leaves only two options (that I could find) which provide relatively inexpensive patch management for smaller networks:
? Shavlik's NetChk Protect (http://www.shavlik.com/netchk-protect.aspx): Coming from the company that provides the technology to everyone else, this also claims to offer spyware scanning as well as patch management. However it is more expensive, at about $50/PC plus annual maintenance (which isn't shown on their web site)
? ScriptLogic's Patch Authority Ultimate (http://www.scriptlogic.com/Pro...atchauthorityultimate): This is limited to patch management, but the list of programs included in their scanner (http://support4.scriptlogic.co...article.aspx?id=15052) is the same as that advertised by Shavlik. Cost is about $20/PC plus annual maintenance (which isn't shown on their web site)
Both products let you evaluate their software for 30 days (though with a limit of 10 PCs scanned), and can be purchased from their respective websites. I did a short test of the current ScriptLogic software, but haven't tested Shavlik's current version.
************************************************************************
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
I'm not a security pro, or a business owner, but I don't think that kind of software's worth the cost. Imo your money would be better spent educating your employees, and maybe have a mandatory "patch hour" on Tuesday where they check their apps, and patch as necessary. There's already enough scareware security software, and eventually you'd need a gaming rig to run Office due to the weight of the "protection" you have installed.
 

Oakenfold

Diamond Member
Feb 8, 2001
5,740
0
76
You could perform a risk assessment (i.e. identify risks and rate them, risk=the significance in terms of the impact to your organization and the probability of the risk occurring) to determine if this is really worthwhile. In the event something did happen would you have a list of patches that are installed on applications, servers and operating systems? How would you recover from having to deal with something like this? Now might be a good time to consider the risks vs. costs.

I don't have experience with the norm for small businesses.. maybe someone else can chime in?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: lxskllr
I'm not a security pro, or a business owner, but I don't think that kind of software's worth the cost. Imo your money would be better spent educating your employees, and maybe have a mandatory "patch hour" on Tuesday where they check their apps, and patch as necessary. There's already enough scareware security software, and eventually you'd need a gaming rig to run Office due to the weight of the "protection" you have installed.

I wish user education worked...
 

Oakenfold

Diamond Member
Feb 8, 2001
5,740
0
76
Originally posted by: n0cmonkey
Originally posted by: lxskllr
I'm not a security pro, or a business owner, but I don't think that kind of software's worth the cost. Imo your money would be better spent educating your employees, and maybe have a mandatory "patch hour" on Tuesday where they check their apps, and patch as necessary. There's already enough scareware security software, and eventually you'd need a gaming rig to run Office due to the weight of the "protection" you have installed.

I wish user education worked...

For 15 people it might not be an issue, changing that corporate culture is not as difficult as where you are I'm sure. ;)
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
Originally posted by: n0cmonkey
Originally posted by: lxskllr
I'm not a security pro, or a business owner, but I don't think that kind of software's worth the cost. Imo your money would be better spent educating your employees, and maybe have a mandatory "patch hour" on Tuesday where they check their apps, and patch as necessary. There's already enough scareware security software, and eventually you'd need a gaming rig to run Office due to the weight of the "protection" you have installed.

I wish user education worked...

I'd have to question the value of an employee that won't learn how to maintain the tools they're given. In surveying you're expected to maintain and test the instruments you use to ensure they're in proper working order. It isn't difficult, you just learn it, and do it. Education will always trump nannying. Outside of an absolutely locked down box that resets itself after every session, there's no protection from ignorance.

For an unconventional approach that might work well for a small business; Give the employees their computers. Make the computers their's. If they leave the company the computer goes with them. It's a relatively small cost as far as business expenses go, and it may instill pride of ownership that'll encourage them to properly take care of their machines.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: lxskllr
I'd have to question the value of an employee that won't learn how to maintain the tools they're given. In surveying you're expected to maintain and test the instruments you use to ensure they're in proper working order. It isn't difficult, you just learn it, and do it. Education will always trump nannying. Outside of an absolutely locked down box that resets itself after every session, there's no protection from ignorance.

That's part of the surveyor's job though. Why would administration be part of an accountant's job?

For an unconventional approach that might work well for a small business; Give the employees their computers. Make the computers their's. If they leave the company the computer goes with them. It's a relatively small cost as far as business expenses go, and it may instill pride of ownership that'll encourage them to properly take care of their machines.

But people don't take care of their home machines already, why would getting one more computer make a difference?

Personally, I'd love for user education to truly work (we should keep trying of course). And maybe in a 15 person office it might do wonders, but there will always be someone who is too cocky, ignorant, or delusional to get it.

I don't think an expensive software product is necessarily the right solution for a 15 person office, but I also don't think that relying on the users to get the job done is perfect either.

If the company is a Windows shop and already uses Windows server, maybe look into WSUS (or whatever it's called) for most patching. That along with a weekly (or so) nessus scan with full credentials or Secunia CSI (for verification of expected patch levels and other random applications) should do wonders.
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
Originally posted by: n0cmonkey
Originally posted by: lxskllr
I'd have to question the value of an employee that won't learn how to maintain the tools they're given. In surveying you're expected to maintain and test the instruments you use to ensure they're in proper working order. It isn't difficult, you just learn it, and do it. Education will always trump nannying. Outside of an absolutely locked down box that resets itself after every session, there's no protection from ignorance.

That's part of the surveyor's job though. Why would administration be part of an accountant's job?

It's part of the job because you're told it's part of the job. If the accountant breaks a pencil, he doesn't call IT to sharpen it for him, he handles it. Updating software isn't any more difficult than sharpening a pencil. There needs to be higher expectations for employees to be able to handle typical maintenance tasks. Granted, that may not be how the world currently works, but there's no reason why it shouldn't be.

Training isn't that expensive, and it pays dividends far into the future. It promotes a "smart shop" that perpetuates itself, even as employees come and go. It's just like running a torrent. Even though the original seeder long ago quit the torrent, the "knowledge" is still being propagated, and shared amongst all of the leachers until a complete package is generated.
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
Originally posted by: lxskllr
Originally posted by: n0cmonkey
Originally posted by: lxskllr
I'd have to question the value of an employee that won't learn how to maintain the tools they're given. In surveying you're expected to maintain and test the instruments you use to ensure they're in proper working order. It isn't difficult, you just learn it, and do it. Education will always trump nannying. Outside of an absolutely locked down box that resets itself after every session, there's no protection from ignorance.

That's part of the surveyor's job though. Why would administration be part of an accountant's job?

It's part of the job because you're told it's part of the job. If the accountant breaks a pencil, he doesn't call IT to sharpen it for him, he handles it. Updating software isn't any more difficult than sharpening a pencil. There needs to be higher expectations for employees to be able to handle typical maintenance tasks. Granted, that may not be how the world currently works, but there's no reason why it shouldn't be.

Training isn't that expensive, and it pays dividends far into the future. It promotes a "smart shop" that perpetuates itself, even as employees come and go. It's just like running a torrent. Even though the original seeder long ago quit the torrent, the "knowledge" is still being propagated, and shared amongst all of the leachers until a complete package is generated.


Users will always be Users. They don't know right from wrong when it comes to managing a PC, and they never will. For example, it's obvious to an IT professional that the AntiVirus Definitions need to stay current on their computer Most Users don't understand why this is important, and (on top of that) they don't care to learn why.

If you leave it up to your end users to administer your security (no matter how much training you've given them), you're going to end up with security incidents/breaches that could have been prevented by proper central administration.
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
Originally posted by: seepy83


Users will always be Users. They don't know right from wrong when it comes to managing a PC, and they never will. For example, it's obvious to an IT professional that the AntiVirus Definitions need to stay current on their computer Most Users don't understand why this is important, and (on top of that) they don't care to learn why.

If you leave it up to your end users to administer your security (no matter how much training you've given them), you're going to end up with security incidents/breaches that could have been prevented by proper central administration.

Perhaps I'm an idealist, but I've always gone by the philosophy that if you treat children like children, they act like children. In other words, people will live up to your expectations, and not a bit more.

Going with the child example, my daughter's teachers have commented on the fact that they can have intelligent, insightful conversations with her. I attribute that to me not pulling punches or talking to her like a baby as she was growing up. I've always expected her best effort in examining the world, and solving problems on her own, and she only rarely disappoints me. I don't think adults are much different in that regard.
 

oddyager

Diamond Member
May 21, 2005
3,398
0
76
Originally posted by: lxskllr
Originally posted by: seepy83


Users will always be Users. They don't know right from wrong when it comes to managing a PC, and they never will. For example, it's obvious to an IT professional that the AntiVirus Definitions need to stay current on their computer Most Users don't understand why this is important, and (on top of that) they don't care to learn why.

If you leave it up to your end users to administer your security (no matter how much training you've given them), you're going to end up with security incidents/breaches that could have been prevented by proper central administration.

Perhaps I'm an idealist, but I've always gone by the philosophy that if you treat children like children, they act like children. In other words, people will live up to your expectations, and not a bit more.

Going with the child example, my daughter's teachers have commented on the fact that they can have intelligent, insightful conversations with her. I attribute that to me not pulling punches or talking to her like a baby as she was growing up. I've always expected her best effort in examining the world, and solving problems on her own, and she only rarely disappoints me. I don't think adults are much different in that regard.


Are we talking small shop still or are we making blanket statements across the board? Users aren't paid to maintain their own machines. They should not have to worry about updating their AV definitions or ensuring that their OS has all of the required updates and patches when they should be focused on creating and doing business.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: oddyager
Are we talking small shop still or are we making blanket statements across the board? Users aren't paid to maintain their own machines. They should not have to worry about updating their AV definitions or ensuring that their OS has all of the required updates and patches when they should be focused on creating and doing business.

Wait, you don't want to keep paying your CFO his nasty salary while he's upgrading to service pack 3? How many sales guys are going to choose sp3 update over emailing customers? Or troubleshooting that BSOD? :p
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: lxskllr
Perhaps I'm an idealist, but I've always gone by the philosophy that if you treat children like children, they act like children. In other words, people will live up to your expectations, and not a bit more.

Going with the child example, my daughter's teachers have commented on the fact that they can have intelligent, insightful conversations with her. I attribute that to me not pulling punches or talking to her like a baby as she was growing up. I've always expected her best effort in examining the world, and solving problems on her own, and she only rarely disappoints me. I don't think adults are much different in that regard.

Come on. Users are worse than children. Children will generally listen if you explain things well, and will definitely listen after they've touched the burner. How many "I didn't do anything, er, wait, there was that link to hot sexy russian women that want to know me biblicly" incidents have you dealt with? How many happened after a previous similar incident? Or right after the mandatory security training?
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
We're kind of getting into general management theory here, but I'll throw out my thoughts.

First, my experience is with small offices, and that's what I generally have in mind. I think education and incentives can go along way to towards keeping a safe and secure network. Computer maintenance just isn't that hard. Updating software isn't much harder than updating papers in a file. You add new papers, and remove the stuff that's obsolete. I just don't see how that's so much different than a mechanic cleaning his tools, or a cabinet maker keeping his tools sharp, and in good condition. I believe(perhaps erroneously) that a user that feels he's actually part of an organization, and not just a redundant cog in a machine, will do his best(or at least an adequate) job at ensuring the company does well. If you give people responsibility, and treat them more as equals, they'll reward you good performance.

Instead of a do this, don't do that security meeting where directives are put forth from the "top of the mount", give people information on why certain things are bad, and other things are good. Let them draw their own conclusions. If they don't come to the correct conclusion, perhaps they aren't the right person for the job. People don't like being told what to do. That fosters an "us vs them" mentality, and they'll try to subvert your wishes, out of pure spite. Tell them why everybody watching Youtube hammers the network. Explain why you probably don't want something that somebody's giving away free online. Explain why running unauthorized applications can be detrimental to security... They can also be rewarded for problem free months. No virus' this month? you get off early this Friday, or maybe the boss can bring in a nice food platter for everybody. That reinforces good working habits, and builds loyalty to company, and by extension, the network.
 

bsobel

Moderator Emeritus<br>Elite Member
Dec 9, 2001
13,346
0
0
For 15 users, turn on automatic updates and have it set to install and reboot when needed.
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
Originally posted by: lxskllr
We're kind of getting into general management theory here, but I'll throw out my thoughts.

First, my experience is with small offices, and that's what I generally have in mind. I think education and incentives can go along way to towards keeping a safe and secure network. Computer maintenance just isn't that hard. Updating software isn't much harder than updating papers in a file. You add new papers, and remove the stuff that's obsolete. I just don't see how that's so much different than a mechanic cleaning his tools, or a cabinet maker keeping his tools sharp, and in good condition. I believe(perhaps erroneously) that a user that feels he's actually part of an organization, and not just a redundant cog in a machine, will do his best(or at least an adequate) job at ensuring the company does well. If you give people responsibility, and treat them more as equals, they'll reward you good performance.

Instead of a do this, don't do that security meeting where directives are put forth from the "top of the mount", give people information on why certain things are bad, and other things are good. Let them draw their own conclusions. If they don't come to the correct conclusion, perhaps they aren't the right person for the job. People don't like being told what to do. That fosters an "us vs them" mentality, and they'll try to subvert your wishes, out of pure spite. Tell them why everybody watching Youtube hammers the network. Explain why you probably don't want something that somebody's giving away free online. Explain why running unauthorized applications can be detrimental to security... They can also be rewarded for problem free months. No virus' this month? you get off early this Friday, or maybe the boss can bring in a nice food platter for everybody. That reinforces good working habits, and builds loyalty to company, and by extension, the network.


For most organizations, making end users responsible for the security of a Business Network is just not worth the risk.

Who is held accountable when there is a breach? Ann the Accountant? She didn't think she was doing anything wrong when a message popped up telling her to disable her Antivirus Software so that "Adope" Acrobat could run an update...and then all of a sudden she got infected with a Tojan instead of getting a software patch. And on top of that, the Trojan went unnoticed for 7 months because she didn't remember to re-enable her Antivirus software and no one was checking up on any logs.

I know it might sound far fetched...but these things happen.
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
Originally posted by: seepy83

Who is held accountable when there is a breach? Ann the Accountant? She didn't think she was doing anything wrong when a message popped up telling her to disable her Antivirus Software so that "Adope" Acrobat could run an update...and then all of a sudden she got infected with a Tojan instead of getting a software patch. And on top of that, the Trojan went unnoticed for 7 months because she didn't remember to re-enable her Antivirus software and no one was checking up on any logs.

I know it might sound far fetched...but these things happen.

It doesn't sound far fetched at all with the with way people currently treat computers(like toasters), and with what they're expected to know. I think education could prevent that from happening though. If Ann isn't sure if that's a good idea(security training should at least instill doubt, if nothing else), she can float it by Fred for confirmation. Hopefully *somebody* learned something from the security meetings. If they didn't, I'd have to seriously question my choice of employees :^D

 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: bsobel
For 15 users, turn on automatic updates and have it set to install and reboot when needed.
But that doesn't address updates for the myriad of non-Microsoft programs that people install. Heck, most folks don't even turn on Microsoft Update, so only Windows itself gets updated.

It's difficult to predict where the next big software vulnerability will be. There have been known, exploited, vulnerabilities in most applications, both Microsoft and non-Microsoft. It makes sense to keep them all updated. And it's virtually impossible to do so across a fifteen-person office unless somebody either makes it their job (and hopefully has some training to do this effectively, or automatic update software, like Shavlik's, is installed.
 

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
I've setup WUSS, err excuse me WSUS servers for smaller companies and that works well for updating all things microsoft. For other applications we have always gone with commercial software, patchlink and zenworks being two of the few I've worked with.
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: Oakenfold
Are there any open source patch management app's that the OP might consider?
It seems unlikely that there'd be reliable open-source software. The problem is maintaining the database of patches for hundreds or thousands of applications. Who's going to do that and keep it maintained? That's a LOT of work to do for free.
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
Originally posted by: RebateMonger
Originally posted by: Oakenfold
Are there any open source patch management app's that the OP might consider?
It seems unlikely that there'd be reliable open-source software. The problem is maintaining the database of patches for hundreds or thousands of applications. Who's going to do that and keep it maintained? That's a LOT of work to do for free.

I don't think it's impractical. You don't have to keep everything patched, just packages that are likely to be exploited. Just keeping Adobe products and Java patched would go a long way to improving security.
 

Oakenfold

Diamond Member
Feb 8, 2001
5,740
0
76
Originally posted by: RebateMonger
Originally posted by: Oakenfold
Are there any open source patch management app's that the OP might consider?
It seems unlikely that there'd be reliable open-source software. The problem is maintaining the database of patches for hundreds or thousands of applications. Who's going to do that and keep it maintained? That's a LOT of work to do for free.

That's a good point and probably why I've never heard of anyone using an open source solution, however one that would fit the OP's needs wouldn't need to be that complex.