I’ve had this argument before with other IT professionals and it’s nice to have some empirical evidence to back up my contention… that when it comes to organizational IT…
Both are required reading, but the conclusion:
Collectively, our “Verizon Business 2008 Data Breach Investigations Report”, along with our earlier studies, suggests that getting the right mix of countermeasures in an enterprise is far from simple. Rather than “do more,” all three studies seem to suggest that we should “work smarter.” The Sasser study shows that in some cases working harder seems to not only consume significant resources, but is also sometimes counterproductive. Unfortunately, precious few of us have the data or risk models available to show us exactly how to focus our limited time and resources.
A control like patching, which has very simple and predictable behavior when used on individual computers, (i.e., home computers) seems to have more complex control effectiveness behavior when used in a community of computers (as in our enterprises).
Communities behave differently than individuals.
This reminds me of the differences between individual medicine and community health. After all, you can effectively treat an individual with cholera with a mixture of salt and sugar water, but putting salt and sugar in the drinking water does nothing to reduce cholera in the community.
Every time to deploy a patch, you’re changing software. Usually, the patch works as intended… however, sometimes it introduces a new security vulnerability (this is what happened with the Debian SSL patch), sometimes it has some unintended consequence in service availability (you just broke something your enterprise relies upon… whoops!), and sometimes the patch doesn’t matter in the slightest.
Developing change management controls over your patch management is a necessary step in managing your systems and services. Patching your systems is indeed something that you need to do, but having decent security controls in place is going to be a better use of your time.
On clients, system-wide automatic updates are fine. On servers… it’s something else altogether.