When did you last patch your systems?

By Charles

May 23, 2017

Database Services, it services


As of the very recent and no doubt still stinging cyber attack, I thought I would hit this question head-on with some rather frank honesty.

When did you last patch your systems?

Patch your systems today!

I have mentioned patching before, and I’m not pulling any punches this time.

Everyone and I mean everyone, should know security patches are something to install each month as part of continuous improvement.

Microsoft releases patches on roughly the second Tuesday of every month.

They should, in my opinion, be deployed to test systems on that day or within seven days.

What happens to the test system if the patches screw it up?

Well, you restore from backups. You do have backups… right?

Once installed, these patches lead to some testing of those servers to ensure that any software on them still functions.

If it stops working, you roll back the patches and determine which is causing the issue.

Then you try again without the patch causing the issue to confirm it is a problem.

Then you either do not install the offending patch if you believe it is unnecessary or make it work with it installed.

The one thing you never do with patching is NEVER patch anything.

When doing good IT service providers patch systems?

As soon as patches are released, the information about them is available to hackers.

They can read through the latest vulnerabilities being patched and create exploits for them.

This is a dangerous time to be sitting on unpatched systems. Google give Microsoft a 90-day lead to fix any issue they find.

Then they announce it to the world no matter if people feel it is right or wrong, even if Microsoft has not got a patch for it yet.

Any decent IT service provider would have tested these patches for their clients and rolled them out through their change management processes.

Any company with an internal department worth their salaries should have been doing the same each month.

Cyber security is not a joke.

The losses concerning data theft, reputation and financial losses can be staggering even over short periods.

Your company could be out of business in weeks or months after a devastating attack.

If you think a single piece of equipment like a firewall or anti-virus will stop an attack, you live in a dream world.

Security has to be a broad strategy and in-depth—multiple defences on multiple lines, just like a standard battlefield.

I expect every system to be patched within two weeks of patches being rolled out to your test systems.

That should be a complete patching of all systems within 2 to 3 weeks of release.

Rolling patches straight to production systems is risky hence the time to test them first.

Not rolling them out at all should be a P45-generating event.

Wake-up call – patch your systems ASAP.

This weekend will have been a harsh wake-up call to many companies and organisations worldwide.

If anything is to be learned, the need for regular patching schedules should be at the top of your list.

I foresee tens of thousands of person-hours of overtime being spent as unprepared departments scramble to patch every neglected system on the net.

In terms of physical health and IT, prevention is better than cure. You will most likely find it a lot cheaper too.

So when is the best time to patch your systems? The answer is before a major cyber attack and not during/after it. So spend the next few days creating a patching schedule and repairing your systems!

Charles

About the author

Microsoft Certified SQL Server DBA with over a decades experience including work for large FTSE 250 companies amongst others. The SQL Server stack has been the focus of almost all of my career in IT. I have experience designing, supporting and troubleshooting large Data Platform deployments.

You might also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>