For various reasons, users -- even administrators -- do not patch properly. Here's how to get a handle on security patch pain Over the last week I’ve had two clients who’ve had computers broken into because their computers were not appropriately patched. One client’s Internet-facing server lacked a critical system patch, and the other was exploited by an unpatched client system infected by a “trusted” Web site.I know at times that I sound like a broken record about this issue, but I’ve yet to visit a client (and I consult, on average, about three per month) that has acceptable patching practices in place. They all have patch management software, but for various reasons, my spot-check auditing usually reveals significant deficiencies. [ Related from security news: “New Web attack exploits unpatched IE flaw” | Earlier this week, Microsoft released this year’s final set of patches, bringing the total for 2008 to 77 patches ]A study by Secunia showed that only 1.91 percent of the computers scanned by their Software Inspector product were completely patched. Even worse (see table below), nearly half of the PCs inspected had 11 or more unpatched programs. Table 10 Insecure Programs 1.91% of PCs 1 – 5 Insecure Programs 30.27% of PCs6 – 10 Insecure Programs 25.07% of PCs11+ Insecure Programs 45.76% of PCsAnd you have to believe that the people running the Software Inspector program are among the security-savvy. Why don’t people — and in particular, administrators — patch properly? First, it’s a difficult job to keep on top of. The patches come frequently throughout the week. Microsoft may only release patches on one Tuesday a month, but most vendors release them ad hoc, often without warning. You may hate Patch Tuesday, but I’ve heard Linux and Apple administrators complaining about how they get their teams together and apply a patch, only to discover yet another new patch the day after, and another the day after that. If you live in that world, Patch Tuesday doesn’t seem so bad. And that’s only one vendor’s software. Add in every software product you have, each with a different patching cycle, and it’s a plan for chaos.Sometimes you patch software and the older versions remain behind. This is a problem with Sun Java Virtual Machines, Microsoft .Net, Macromedia Flash, and several other applications. You may not even know the older version is still installed, but a malicious JavaScript link can ferret it out. Oftentimes, even when using rock-solid patch management software, a certain percentage of upgrades will fail. In my 20-year-plus experience, the problem rate is somewhere between 1 and 5 percent. That means a machine left unpatched and possibly even a visit by tech support to resolve. And all of us have stories of horrible patch recovery problems that took formatting and complete re-installs to resolve.Some companies have great patch management software, but policies and necessary regression testing mean it could be a month or more until patches are installed. Solutions for patch painGet on top of your patching. If you don’t have systemwide patch management software, get some. Make sure to patch everything on the computer: the operating system, large applications, browser add-ons, everything. If someone else is in charge of patching, spot-check their efficiency. Run Secunia’s Software Inspector and see what comes up unpatched. Except in the rarest of cases (e.g., medical devices requiring regulatory approval, etc.), it’s no longer acceptable in today’s world to wait more than a week or two to apply a critical patch. Internet-facing servers and computers with access to the Internet need to be patched the fastest. Rank assets by criticality and patch the highest risk assets first. If you can’t perform thorough regression testing in a timely manner, create a trustworthy rollback strategy and patch away.If you cannot patch in a timely manner, look into offsetting controls, like IPS solutions and inline patching solutions. My former favorite inline patching solution, BlueLane’s PatchPoint, has been acquired by VMware and doesn’t appear to be available at the moment. Anti-malware solutions, firewalls, and auditing certainly have their place in any patching strategy. But all these offsetting controls are doomed to eventual failure. Having fully patched software is one of the best things you can do to improve your security posture.Many readers might find this topic boring, but I plan to keep covering it until I find more clients fully patched than unpatched. Top echelon computer security administrators know that the best computer security comes from doing the boring stuff consistently great. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe