Why Nevada Federal Moved To Patch Management App

Battening the hatches takes more than expensive intrusion detection or multiple firewalls. An equally effective-and less expensive-component of IT security is patch management, according to a credit union here.

Nevada FCU has used patch management software for more than a year to scan its 35-server networked systems for missing patches, according to George Lund, technical services manager.

More than 90% of security breaches result from known system vulnerabilities-users simply haven't applied patches, or software updates, research by Forrester Research, Cambridge, Mass. and Stamford, Conn.-based Gartner Group has found.

'Not Missing Anything'

Therefore, comprehensive patch management can bolster security, and automated patch management can make it feasible, believes Nevada Federal.

"Now we're 100% certain that we're not missing anything on any of our servers," explained Joe Tressler, network administrator. The $660-million CU uses San Diego, Calif.-based St. Bernard Software's UpdateEXPERT, at a cost of $1,600 for 75 licenses.

Once vulnerabilities are identified, updates are automatically applied. Before UpdateEXPERT, said Lund, Nevada FCU searched for patches and deployed them manually.

But that approach was a little risky. "We weren't getting all the patches," Lund said.

"I think we were lucky that nothing bad happened," added Joe Tressler, network administrator.

Beyond the risk, manually tracking current patches for all 35 servers was "more than a full-time job," Tressler said. Microsoft alone released 64 patches in 2002.

Once Tressler had identified a requisite patch, he'd only just begun. "When a new patch came out, we had to load it on every single server," he explained. "I'd have to come in for six hours on a Saturday every month. Most of the time would be spent downloading, applying, and rebooting the machines.

A Day Off

"Now I can schedule that to happen on a Saturday, but I don't have to be there," he said.

The 80,000 member-CU uses UpdateEXPERT weekly to run one-minute scans of its operating systems, SQL Server, Internet Information Server, and Microsoft Office programs. Suitable for Windows operating environments, UpdateEXPERT also can manage patches for Terminal and Exchange Servers, Internet Explorer, and Microsoft Outlook, among others.

UpdateEXPERT pulls necessary patches from a patch database that is updated 72 hours after Microsoft releases updates. The software enables Nevada FCU to check daily for the latest version of the database. "Once we've heard from Microsoft, we analyze the patch to see if it applies to our servers," Tressler continued. "We can tell the software which patches we want deployed."

Tressler said he doesn't have to worry about the patches introducing instability to the CU's systems. "We first load the patch on a test server to make sure it's not going to do anything to our environment."

UpdateEXPERT also generates system reports showing exceptions to required patches. "We can pull reports to see how compliant or non-compliant we are, and we can keep a record of which patches we've applied," Lund said.