Live: Samsung Unpacked Live Updates Apple HomePod 2 Review Apple Earnings Preview Resurrecting the Dodo COVID Emergency to Expire DOJ Eyes Tesla Self-Driving DC's 'Gods and Monsters' Slate Salami, Sausage Recalled
Want CNET to notify you of price drops and the latest stories?
No, thank you

Commentary: Patch priorities

Patching security vulnerabilities is a major headache--such fixes must be tested before they're applied, yet they're released with a frequency that makes it a real burden to keep up.

Commentary: Patch priorities
By Forrester Research
Special to CNET
September 11, 2003, 12:30PM PT

By Jan Sundgren, Analyst

Battered by malicious code such as MSBlast and Slammer, which exploit software vulnerabilities to spread across the Internet, organizations are more pressed than ever to fix these vulnerabilities.

But patching security holes is a major headache--patches must be tested before they are applied, yet they are released with a frequency that makes it a real burden to keep up. One element of getting the process under control is to prioritize patches according to how critical they are, so administrators can focus their efforts on the most important patches.

The importance of a patch for a particular organization depends on several factors: whether (and how) the vulnerability is being exploited, how likely it is to be exploited and what an exploit would do to the organization's specific systems and business processes. Alternative means of addressing a vulnerability, such as closing a port on the firewall, also factor in. Patches could be sorted into several different categories that reflect different levels of urgency in the following way:

Level 1: Critical. The vulnerability is already being exploited and your company could be hit at any time. Important systems are vulnerable, and alternative means of defense are too costly. Testing of the patch must be executed quickly, because the patch should be applied as soon as possible. The risk of the patch causing problems is outweighed by the risk of the vulnerability.

Related story

New vulnerabilities are very similar
to the flaws exploited by the MSBlast
worm that rampaged in August.

Level 2: Urgent. The vulnerability is not being exploited yet, but it affects important systems, and it has serious potential. Alternatively, the vulnerability is being exploited, but it does not affect the most critical systems. The patch should be tested and distributed within a week, so testing can be more thorough.

Level 3: Less urgent, but requiring attention. The vulnerability is not a major threat, and it can be patched during monthly maintenance.

Level 4: Minimal. The vulnerability may not be a serious problem at all, and the patch should be applied whenever convenient.

Different organizations will establish different policies, but by prioritizing patches, they will make it easier to keep up, and they will install fewer patches that have not been thoroughly tested. Obviously, it can be difficult to evaluate the severity of a particular vulnerability in a specific environment--that requires detailed knowledge of not only the systems in place but also of the specific business processes that run on them. Vendors like TruSecure, Archer Technologies and Xacta can help manage the work flow for evaluating the threat to particular systems and business processes.

© 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.