Patch management – not for the faint of heart

If you're a U.S. consumer, you're likely pretty peeved at Equifax right now. By all accounts, a missed patch led to the exfiltration of highly personal data on more than 145 million consumers. If patch management were easy, Equifax would likely still have our data. The simple fact is, however, patch management is hard, a problem we must all face. While there are no easy solutions, there are steps you can take to make the process more achievable.

03 patch
Thinkstock

By now, most in the US are aware of the massive data breach at Equifax, with data on an estimated 145 million consumers being disclosed. Initial reports link the breach to a missed patch on a key web software component, which has been available for some time, but not applied by Equifax.

 My consumer side is mad at Equifax. They have been entrusted with my most personal data, and due to their careless patching, I and many other consumers will be looking over our shoulders for years to come. On the other hand, my professional side is inclined to be considerably more understanding. After all, a good patching strategy is very difficult to implement. Even if a leading edge organization finds a way to stay current, they still have trouble keeping up with the zero day vulnerabilities and those that are, as yet, undisclosed. 

Most organizations understand the importance of patching their systems. At the risk of over-simplifying the problem, their reluctance to do so is explained by a simple equation:

patching = downtime = lost revenue

Since many companies have web applications used by consumers at all hours, they never want those applications to be unavailable. Therefore, they are reluctant to schedule downtime for patching. 

To continue reading this article register now

Microsoft's very bad year for security: A timeline