Re: When is a Security patch not a patch?

I seem to have the same issue. Management and more specifically the
sysadmins seem to believe that since allot of the patches are security
in nature, that now patch management falls under the responsibility of
the security administrator. First off coming from the sysadmin ranks I
would think most admins would prefer to patch their own systems for may
reasons I don't think I need to state and second do they really think we
have the time or expertise to deal with potential issues related with
patching some systems.

Starting 2 months ago I indicated to the admins (this was approved my
management) through a new defined and formal MIS corporate policy, that
sysadmins would need to take ownership of the patch management process
and that I would oversee the program including quarterly vulnerability
assessments. I even took patch ownership of 1/4 of our servers (30
servers out of 100).

My situation is also ad-hoc practice as far as patch management goes,
but what amazes me isn't that fact the admins seem to think its my
responsibility to patch their systems, but that since I have stopped
patching the vast majority of them, in most cases the admins not only
are not patching their servers, but they don't seem to care.

I have never worked with admins that have such a lack of motivation when
it comes to patch management.

Basically it bowls down to how much weight MIS management is willing to
put behind it.

On Thu, 2007-03-01 at 17:22 +0000, solutions@xxxxxxxxxxxxxxxxxxx wrote:
I have a dilemma. I'm the IT Security dude. I'm responsible for filtering incoming security information (CERT announcements, vendor security patches, real threats, etc.) and doing an impact analysis on them.

Since our organization is very structured i.e. ITIL I then send my report to our Service Delivery team who is responsible for the hands on sysadmin.

So my dilemma is this. Management is now rethinking this approach (since the Service delivery folks are quite busy) and is expecting me to apply patches. My argument is that;
a) No one person can have the detailed knowledge of all the OS's we support (basically all OS's) to
be able to do this and;
b) That a security patch is just another patch, albeit more urgent than patches applied during the regular patch cycle.

To be frank, there is no patch management procedure in place at all. Patches are applied in an adhoc "as needed" basis.

So what to do? Can anyone offer any insight?

Please and Thanks,

This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.;82309979;15562032;o?


Jason P. Rusch, CISA/CISSP
Information Security Manager
Wesley Chapel, FL 33543
AOL IM: SaltyNetGuru

"There is no patch for stupidity"

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the
material from any computer.

Relevant Pages

  • RE: Releasing patches is bad for security
    ... The new patch model for longhorn will not require reboots. ... functionality over security. ... Current patches are getting smaller as with large enterprises bandwidth can ... > MS posted a patch and some 300ish days later the worm hit. ...
  • RE: Releasing patches is bad for security
    ... posted a patch and some 300ish days later the worm hit. ... The problem then is how to release patches ... specifically focused on finding security flaws in all of their software. ... Releasing patches is bad for security ...
  • Re: [Full-Disclosure] Gates: You dont need perfect code for good security
    ... the blaster worm preceded the patch so this argument is DOA ... you do not have to pay for RHN to get redhat patches. ... I run Astaro Security Linux here at the house..blaster ...
  • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... But you'd still patch either way, ... of home users who don't even know what a security patch *IS*, ... But how many organisations firewall off internal servers from ... administrators have the time to watch the IDS given the number of patches they ...
  • Re: When is a Security patch not a patch?
    ... I'm the IT Security dude. ... security patches, real threats, etc.) and doing an impact analysis on them. ... there is no patch management procedure in place at all. ...