The Myth of Patch Management

From an old video recording of a security session held at Technet:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=991

“The Air Force had an environment where they standardized , based on a limited number of server build and client build using images and vhd files.. and then they allow them to make another decision. They did a risk assessment of patch delays and came to the following conclusion...

If we delay installation of a patch because we have to test it, then there is a time window between patch download date and install date, of when their machines are vulnerable to attack…

and their risk assessment concluded, that getting attacked in that time window, is much more likely than immediately installing the patch and see if an application breaks. That was their risk assessment. So they have done what I have been begging people to do for years. They have turned their patch management over to Microsoft (outsourced it to us). When we issue a patch, they install it right away.”

- Steve Riley, Former Senior Security Strategist - Microsoft Trustworthy Computing

Book author of "Protect Your Windows Network, from Perimeter to Data"

However, there is one point I would disagree with the Air Force. Newly released operating system service packs and IE versions must be tested in a business environments first regardless how small or large the business is, and if there is a testing team or not. At the same time, I do not recommend delaying installing those updates. I have seen security experts who test the new service pack updates even for their home environment.

Note: Steve Riley is now with Amazon Cloud Computing. He can be found here: http://stvrly.wordpress.com/