How Will You Spend Your Patch Tuesday?For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?
For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?The temporary Patch Tuesday armistice is something of a relief for Bob Burritt, IS network and technology manager for Kettering Medical Center Network, a group of 50 health-care facilities in and around Dayton, Ohio. But he's not reserving a tee time just yet. "We always have something else to do so it is not a hole in anyone's workload," he says.
At Brown University, it's Paul Asadoorian's job as lead IT security engineer to review the monthly set of patches and make recommendations to the groups in charge of the school's desktops and servers based on the amount of risk each Microsoft vulnerability poses. Managing Patch Tuesday has become just another routine for Asadoorian and the rest of Brown's IT staff. "People always say it's a big day, but it's the normal course of doing business," he says.
In fact, the lack of a Patch Tuesday makes Asadoorian more uncomfortable that he would normally be on the second Tuesday of the month. "For me, I think it's pretty scary," he says. "It gives people too much of a sense of security."
Asadoorian would actually like to see Microsoft deliver more patches spread throughout the month than wait for one particular day. "You can't lose sight of the fact that attackers don't wait until patches come out to attack your systems," he says. "I would like to see Microsoft release patches out of cycle, so that we don't have to do our own workarounds."
So does this Patch-less Tuesday come as a big relief? A surprise? Just another day? Long overdue? "All of the above," says Larry Whiteside, information security officer for Marsh Inc., a provider of risk and insurance services. The lack of a Patch Tuesday disrupts what had become a monthly ritual for Marsh that included time spent analyzing each Patch Tuesday release and scheduling meetings to discuss them. "Every IT person I know of has taken a sigh of relief," he says. "This is more than long over due, but my fear is this: what will happen next month?" Hopefully, it won't mean twice as many patches.
Windows has overnight (or over the course of a month) become a much more secure product? More likely, Microsoft recognized that the timing of March's Patch Tuesday couldn't be worse, as companies were until this past weekend more focused on the Daylight Savings Time issue than anything else (even Windows). "To add Black Tuesday to the mix this month with critical vulnerabilities would send people reeling," Whiteside adds.
There are probably as many opinions about Patch Tuesday as there are people charged with securing their company's IT systems. We'd like to hear yours. Let us know how you'll be spending tomorrow's Patch-less Tuesday.