info@qualityplusconsulting.com l 262.425.0026

Patch Management Services

Patch managment is a service QPC provides to subscribed clients. It is critical for all systems to have patches for installed software installed in a timely fashion. While you can patch your computer manually, you will likely not do it as fast as QPC can do it for you. Installing patches in a timely fashion is a key component of what is required to keep your computer from being compromised.

QPC also avoids the installation of other undesired software that often presents itself to you if you do the update process yourself. These are generally included with free software like Java or Flash and can be adware or other software that conflict with existing installed applications.

PCI DSS 3.0 specifies that patches need to be installed within 30 days of the patch's release. SANS CSC 5.0 says patches should be installed within 48 hours of release. QPC believes that patches should be installed within 48 hours of the patch's release.

In order to deploy patches, some testing must be performed. QPC tests supported patches, deploys them to managed systems, and verifies that patches have been successfully installed through a quality check process.

The scope of patch management services patches INCLUDES the following software:

PatchComp

  • Adobe Acrobat
  • Adobe Reader
  • 7-Zip
  • QuickTime
  • Adobe Flash
  • Adobe Shockwave
  • Oracle Java
  • Mozilla firefox
  • Chrome
  • Dell laptop and desktop BIOS updates

Software not patched through automatic processes are:

  • iTunes
  • QuickBooks
  • Firmware and driver updates
  • Google Toolbar
  • Safari
  • Any other software not explicitly listed in the INCLUDE list above

 Other maintenance and monitoring functions performed are:

  • Hard drive freespace monitoring
  • Weekly hard drive defragmentation
  • Monitoring of hard drive SMART status
  • Automated computer healing actions based upon monitoring alerts such as low disk space alerts

Services NOT included in annual patch management services scope of work:

  • BIOS updates, driver, or firmware updates on servers; These must be done manually.
  • Software installs or other work requested by clients that is not explicitly listed in the INCLUDE list

____________________________________________________________________________________________

Necessary security models in today's world of advanced persistent threats

We need adequate security in today's world of advanced persistent threats in order to just keep our computers working. You may think that your data files or email is not that important and you don't need to have security. If you want to simply keep your computer working reliably, layered defense strategies are needed. Fortunately, having good security is affordable.

We no longer live in the age of removable viruses. The vast majority of viruses and malware that exist today are extremely damaging to computers. Even in circumstances where a virus can be removed, if the virus was able to access the computer with administrator privileges, the operating system is usually severely damaged requiring a complete rebuild of the computer. Rebuilds are very expensive and are able to be avoided by using common-sense security strategies.

Viruses and malware are not able to damage the operating system if they are not allowed to get to the computer hard drive. One extremely effective way to achieve this is to use web 2.0 filtering software that is constantly updated with lists of sources of malicious content. Trend Worry-Free Business Security Services is a security product that does an excellent job of preventing malicious content from getting onto your computer. However, Trend WFBiz Sec is only one component of the necessary security strategy to keep your computer working.

The second primary method in preventing viruses and other malware from inflicting irreversible damage to the computer is to use privilege separation. This concept is quite simple. It simply means that you do 99% of all of the work you need to do on your computer as your regular user account that does not have administrator privileges. You have a separate account with administrator privileges. That account can be used for software installs/uninstalls and installation of software updates.

The third primary method in preventing malware from damaging your computer is to install patches for software that interacts with the internet as soon as possible after a patch is released. Ideally, these patches should be installed within 48 hours of the release of the patch. In order to do this patching, you must know of the patch's release and then logon as your special admin account and install the update. In the last three years, Java vulnerabilities have been the number one reason for computer compromises. In most cases, the computers were compromised because they did not have the most recent version of Java installed. Since 1993, the timely installation of software patches has been an effective measure to keep your computer from getting compromised.

Regarding patching, you have two choices here. One option is to get training to patch your computer on your own and then manually check for software updates for ALL of the installed software at least twice per month. Anything less frequent is insufficient. The second option is to outsource patch management and installation services to QPC.

The fourth essential component in a good security strategy is training. You are the first line of defense in keeping your computer working properly. Don't download flash updates from any website other than Adobe.com. Don't download any Java updates from any website other than Java.com. Realize that many websites have malicious content that tries to trick you into installing fake Java updates and fake Flash updates. Don't click on advertisements. Keep your Trend software subscription current and contact your IT support for assistance when you have questions or find something is unusual. By NOT browsing the internet using an administrator level account, you are putting a firewall between the bad stuff and your operating system. It doesn't mean that it's impossible for bad stuff to get on your computer, but it does mean that you are greatly reducing the probability that malware can damage the operating system in an irreversible way.

Any of these methods taken by themselves are not an adequate strategy. But when all methods are combined, an effective security strategy is in place in order to keep your computer working properly long-term.

About your admin account

The built-in administrator account is disabled for your use for security reasons. The hackers expect that account to exist and for it to have a weak password. As a result, you have been provided an administrator-level specific account for your use in maintaining your computer. You do NOT need to use the account actually called "Administrator". You have a unique account that is identical to the Administrator account, except that it is more secure because it does not have a predictable account name, and it has a secure password.

Patch management services

If you choose to use patch management services through QPC, we need a window of opportunity to do maintenance and patching on the systems. Most patches come out the second Tuesday of every month, but others occur at other times. We try to get all patches deployed within 48 hours of the release of the patch. If you computer is not on and connected to the internet, this goal cannot be achieved. As a result, we ask that you leave your PC turned on overnight at least the second Tuesday and Wednesday nights of every month. Please note that we may opt to schedule critical patches to install when your computer boots up. We don't prefer this, but it may be necessary if the computer has been off and a critical update needs to be deployed as quickly as possible.

 


 

This article on Dark Hotel is a fine example of why you should never install flash updates or any other software using a window the prompts you to do the install. Updates should always be installed either directly from the software manufacturer's website or by a centrally-managed systems management platform. The Dark Hotel article is also an excellent example of why you need to have managed systems, and why users should nto be able to install software.