By Forrester Research
Special to CNET News.com September 11, 2003, 12:30PM PT By Jan Sundgren, Analyst Battered by malicious code such as MSBlast and Slammer, which exploit software vulnerabilities to spread across the Internet, organizations are more pressed than ever to fix these vulnerabilities. But patching security holes is a major headache--patches must be tested before they are applied, yet they are released with a frequency that makes it a real burden to keep up. One element of getting the process under control is to prioritize patches according to how critical they are, so administrators can focus their efforts on the most important patches. The importance of a patch for a particular organization depends on several factors: whether (and how) the vulnerability is being exploited, how likely it is to be exploited and what an exploit would do to the organization's specific systems and business processes. Alternative means of addressing a vulnerability, such as closing a port on the firewall, also factor in. Patches could be sorted into several different categories that reflect different levels of urgency in the following way: Level 1: Critical. The vulnerability is already being exploited and your company could be hit at any time. Important systems are vulnerable, and alternative means of defense are too costly. Testing of the patch must be executed quickly, because the patch should be applied as soon as possible. The risk of the patch causing problems is outweighed by the risk of the vulnerability.
Level 2: Urgent. The vulnerability is not being exploited yet, but it affects important systems, and it has serious potential. Alternatively, the vulnerability is being exploited, but it does not affect the most critical systems. The patch should be tested and distributed within a week, so testing can be more thorough. Level 3: Less urgent, but requiring attention. The vulnerability is not a major threat, and it can be patched during monthly maintenance. Level 4: Minimal. The vulnerability may not be a serious problem at all, and the patch should be applied whenever convenient. Different organizations will establish different policies, but by prioritizing patches, they will make it easier to keep up, and they will install fewer patches that have not been thoroughly tested. Obviously, it can be difficult to evaluate the severity of a particular vulnerability in a specific environment--that requires detailed knowledge of not only the systems in place but also of the specific business processes that run on them. Vendors like TruSecure, Archer Technologies and Xacta can help manage the work flow for evaluating the threat to particular systems and business processes. © 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
| |||||||||||||||||||||
Breaking the digital gridlock
July 26, 2004
South Korea's digital dynasty
June 23, 2004
Bigger blue
June 14, 2004
Reality behind the politics
May 4, 2004
Playing for keeps
December 9, 2003
Corporate classrooms
November 11, 2003
Vision Series 4 (Part 1)
June 2, 2003
Digital remix
May 28, 2003
Mother of invention
April 11, 2003
It's a buyer's market
February 11, 2003
Nothing but air
February 3, 2003
Vision Series 3
December 2, 2002
A Mortal Microsoft
October 14, 2002
E-Terrorism
August 26, 2002
China's new dynasty
July 9, 2002
Vision Series: Tech chiefs dictate the future
June 10, 2002
Vision Series: Survey results
June 10, 2002
Sun's Java jigsaw
March 28, 2002
The Gatekeeper: Windows XP
October 17, 2001
A bitter pill
September 26, 2001
Privacy vs. safety
September 17, 2001
