I blogged just last week about the release of Secunia's PSI 1.0, which is a software you can use to check if your applications and windows patches are up to date on a daily, weekly, or monthly basis. In a recent article on Dark Reading, it looks like less than 2% of 20,000 machines that were tested actually scored 100%, meaning all applications were patched and up to date. Most of these machineswere consumers, but not all of them, which is alarming considering the technology available to patch systems these days being very accessible and affordable.

First thing I can think of is that patches do not always play well with all systems. I myself have been a victim to a bad patch, mostly causing application instability and major performance impact. Usually the turn around time to fix those issues is good, but not always. And, if I cannot work on my computer that patch is coming off, leaving the window open again for attack. Now consider I am business that has 1,000 machines to take care of, and have to test quickly and roll out to minimize the risk of getting infected, breached, or even worse. Sometimes you have to just send it out and pray that it works out for the best.

Randy Abrams from ESET makes a fantastic point in the article from Dark Reading that I would like to expand upon (http://www.darkreading.com/security/client/showArticle.jhtml;jsessionid=QTZJ5C3W4XJN0QSNDLOSKHSCJUNN2JVN?articleID=212201991), 2% is not actually that bad considering how many applications are out there on machines. I checked my PSI just a second ago and noticed that there are about 5 applications I rarely if ever use. I do keep them up to date as best I can, PSI helps, but in the event I need that program I keep it on my machine. The more you add, the more you have to patch. Without PSI I would be completely lost. Again, I think about that 1,000 machine scenario from above, and wonder sometimes how these technology staff even keep up with this stuff.

Patching is important, probably the most important thing you have to keep current. Without the patch you are relying on your endpoint security programs to protect you, and nothing is 100% effective there. We all do what we can, when we can, and consumers are more at risk here than anyone else. Take for instance the new worm resulting from the MS08-067 vulnerability. Most of these infections will end up being consumer machines, thus spawning a new bot net, but some of these will be companies as well. If you have not done so already, patch your machines, the file is 866kb and has shown no interference with any programs.  Could save you a lot of trouble down the road.

Perhaps 2009 might be the time to look at your remediation policies, tighten up those patching systems, and get a better vulnerability scanner. The risk associated with not purchasing these systems is debatable from situation to situation, but spending a little money now to stop a huge loss may be reason enough to bring it to the table at your next meeting.

David Feligno

Network Security Group, Inc