Small Business Attack – Patch Tuesday (and others)

Every month, on the second Tuesday, Microsoft releases a set of patches to their software.  They’re ranked in various ways, based on what they correct and how critical they may be.  Then, two things happen:

First of all, various security groups review them and start posting their opinions (I prefer the Internet Storm Center synopsis). After that, those of us with more internally-focused positions start reviewing the various summaries by both the security groups and Microsoft and work up an internal plan to test and deploy the patches appropriately. When, after everything looks right, we start deploying the patches to make sure that everything is nice and secure.

Secondly, the various more selfish security groups also review them… but in a tad different way. They investigate what the patches correct and start trying to come up with malicious code that exploits the problem. Then, at the same time that we’re reviewing the patches for our environment, they’re running tests against various other systems. If we’re lucky, at the time that we’re deploying the patches on our systems, they’re deploying the new malware against our systems. If we’re not lucky, they beat us to the punch.

Of course, this is a somewhat simplified scenario. There are a great many more vendors than Microsoft, so this cycle doesn’t really take place on a monthly basis. Some vendors release updates on a quarterly basis, some are yearly and some are pretty much whenever they feel like it. So really, each day is a steady flood of vulnerability information and, if we’re lucky, patches to go along with them.

If you can stay on top of the flood, you can keep your systems somewhat protected. Off course, if you miss something, you leave a hole that an attacker can easily find.

So what do you do about it?