YANKEE research company recent reports show that if a company keeps the latest state in the patch, install each patch of Microsoft in time, then each desktop is cost $ 5,200 each year. ------------------------------------------------
Patching is a cost of: Shen Jian Miao issued a document time: 2004.07.21
Is passive patch to prevent a good way to know a known vulnerability?
The answer is obviously not. However, in the face of numerous patchs, most companies feel two difficulties.
Today, hacker prepares the time required to use a known vulnerability to get shorter. From Microsoft's release of vulnerabilities, they started to attack, "shocking wave" worms only used for 18 days before and after, which also showed that the struggle to deal with online crime came to the new period. Since the chance window that protects the protection is getting smaller and smaller, it is a task that is increasingly incomplete to the fragile software.
Select patch opportunity to learn
For many companies' IT managers, one to the second Tuesday of each month (ie Microsoft release security update version of the day), it is necessary to run with time racing, grab the hacker to use a new vulnerability, attack the company system Patch patch. For large companies with thousands of desktops needed, passive patch will consume a lot of manpower, and it is also unfavorable to IT systems, such as cause network out of operation. Enterprises often make decisions between the two difficulties: Is it right to play a patch? Still playing patch, risks that are exposed to vulnerabilities?
The benefits of patching the security will not be susceptible, but the work in this regard is more complicated. Because of the pressure of being required to publish security patches, software vendors sometimes release patch early before identifying all errors, which will not only lead to the need to further release update, will leave a lot of trouble, it is possible to make up Cause serious problems, such as causing critical servers. After a while, it is often necessary to modify the patch, which means that if there is no comprehensive system test in advance, make sure that the patch will make patch immediately before the computer system is harmed, it is very dangerous.
Best test before patching Ding
If each patch is tested in a controlled laboratory environment, the programmer can fine-tune the patch design, adjust the configuration parameters to accommodate a specific enterprise environment, and try to reduce the risk of the current enterprise network to the existing enterprise network. Risk . Most companies have standard desktop configurations for all PCs, that is, if the test is successful, programmers can promote patch to other systems, do not have to test each desktop one by one. Test it before you play patchs, it is also important because the server is critical to the functionality of the corporate network, and there is any fault that will cause the network to stop.
Decided to make a patch immediately, rather than waiting for the next patch update version (Ideally, the manufacturer is released every half a month), which requires the internal expert knowledge and manpower to assess the severity of each critical. (The possibility of critical affecting the IT environment), the vulnerability level (which system may be affected), relieve and / or recovery costs. If the company has established the latest detailed directory for all production systems and security control mechanisms, it is possible to make effective decisions on the "patch to infrastructure", so that it is necessary to determine the priority, and finally determine the passive patch. .
If the company manages some side, and develops a planned patch system, it can be reasonably planned so that IT administrators have planned to make each server to patch, restart, thus facilitate unified management and test patch before playing patches. Minimize the application of passive patch. Since most patches need to be restarted, this will interfere with the business, so it is planned to suppress Ding Ding to reduce unnecessary stop time and reduce management costs. However, especially dangerous vulnerabilities always have to be dealt with. For example, Microsoft's safety announcement MS04-011 confirmed PCT vulnerability is likely to trigger remotely without any operation of users with infected machines. This means that some infrastructure is easily attacked. However, the key system security inside the network infrastructure is critical, and the current security defense mechanism is unable to prevent the critical, passive patch is absolutely necessary. Patching patch requires high cost
Unfortunately, patching docking costs. Passive patch requires high cost. YANKEE research company recent reports show that if a company keeps the latest state in the patch, install each patch of Microsoft in time, then each desktop is cost $ 5,200 each year. Companies should try to use less patchs, and let the patch processes automate to control such costs. After providing a patch, you can automatically issue a patch throughout the enterprise, without manual intervention. Passive patch also involves other costs, for example, in order to correct the IT issues caused by other functions.
Because passive patch cost is high, and it is very likely to bring damage to the company's main IT infrastructure, it should be used as little as possible. The level is distinctive, and the safety defense mechanism with a synergistic effect can be deployed in the network boundary and desktop (or porter), and there is no abnormal traffic in the monitoring network, so that the company can mainly Use the plan to play a patch.