Keeping Operating Systems and Applications up to date
February 28, 2010Develop and maintain a list of sources of information about security problems and software updates for your system and application software.
The most common sources of current information include Web sites of vendors and computer- and network-security organizations. Lists and Web sites appear, disappear, and change frequently. You need to ensure that the sources you consult are up-to-date.
Establish a procedure for monitoring those information sources.
In the case of mailing lists, you usually receive announcements about security problems and software updates soon after they are available. Web sites vary considerably in the timeliness of their announcements, so you need to decide how often to look for information there. Some of the news-oriented Web sites are updated one or more times a day, so daily monitoring is recommended.
Evaluate updates for applicability to your systems.
Not all updates are applicable to the configuration of the computers and networks in your organization and to your organization’s security requirements.
Evaluate all the updates to determine their applicability, and weigh the cost of deploying an update against the benefits. Keep in mind that failure to install a vendor patch may result in a known vulnerability being present in your operational configuration.
Plan the installation of applicable updates
The installation of an update can itself cause security problems:
During the update process, the computer may temporarily be placed in a more vulnerable state.
If the update is scheduled inappropriately, it might make a computer or information resources unavailable when needed.
If an update must be performed on a large number of computers, there can be a period of time when some computers on the network are using different and potentially incompatible versions of software, which might cause information loss or corruption.
The update may introduce new vulnerabilities.
Updates can also cause a number of problems in other installed software. You may want to consider running a previously developed regression test suite to compare current performance with past performance. Another approach is to install the update in an isolated test environment and run a series of user trials before releasing the update on your operational systems.
Software packages are available that show you the differences in the system as a result of installing the update. We recommend that you use one of these to fully understand and analyze the effects of the update on your systems.
In addition, you should always backup your system prior to applying any updates.
Any method of updating that depends on an administrator physically visiting each computer is labor intensive but will work for networks with a small number of computers. You will need to employ automated tools to roll-out updates to a large number of computers. Some of these tools are provided by vendors for their specific products. You may need to develop tools that are tailored to your environment if vendor tools are insufficient.
Given the number and diversity of operating systems and applications, the update process can become unmanageable if it is not supported by appropriate levels of automation. This may result in updates not being performed, which in turn places your systems at risk by allowing intruders to take advantage of known vulnerabilities.
When using automated tools to roll-out updates, the affected computers and the network are likely to be vulnerable to attack during the update process.
To lessen this vulnerability, you should use only an isolated network segment when propagating the updates or consider using secure connectivity tools such as SSH.
www.bestitdocuments.com