Escolar Documentos
Profissional Documentos
Cultura Documentos
Key
Cross reference: Cross reference
Patc h M a n a g e m e n t
Becta 2006 You may reproduce this material free of charge in any format or medium without specific permission, provided you are not reproducing it for profit, material or financial gain. You must reproduce the material accurately and not use it in a misleading context. If you are republishing the material or issuing it to others, you must acknowledge its source, copyright status and date of publication. Publication date March 2006 Originally published online in February 2006 as part of the Becta website http://www.becta.org.uk/fits While every care has been taken in the compilation of this information to ensure that it is accurate at the time of publication, Becta cannot be held responsible for any loss, damage or inconvenience caused as a result of any error or inaccuracy within these pages. Although all references to external sources (including any sites linked to the Becta site) are checked both at the time of compilation and on a regular basis, Becta does not accept any responsibility for or otherwise endorse any product or information contained in these pages, including any sources.
British Educational Communications and Technology Agency, Millburn Hill Road, Science Park, Coventry CV4 7JJ
Patc h M a n a g e m e n t
PM 1 Overview
PM 1.1
PM
1.2
Becta 2006
in a newsletter or bulletin. To enforce safe practice by users, the school can put in place an acceptable use policy which clarifies what users may and may not do.
PM
1.3
PM
1.4
For Patch Management to be effective, the patch administrator (PM 4) needs to have access to information about new patch releases, antivirus and spyware updates, driver updates and so on. You can make a list or spreadsheet of manufacturers websites that hold the patches and updates in the configuration management database to give all technical support staff access to this important information. The patch administrator can create the list and keep it up to date by regularly visiting manufacturer and supplier websites, or by subscribing to mailing lists. Some websites are now beginning to add RSS (really simple syndication) feeds to their sites, which allows the patch administrator to take the headlines from the site and list them all together on one page. The patch administrator can see at a glance the changes that are relevant and then construct a custom page with information about driver updates from multiple suppliers. It is recommended that the patch administrator allocates time for keeping up to date with the latest information about updates for all of the components in the network. Patch Management terms Patch or fix Driver Service release or service pack Update A release of software that includes bug fixes or performance-enhancing changes Software required by the operating system to make a piece of hardware function A release of software that bundles together several patches and/or updates to provide a clear benchmark or level of release (eg This software has Service Release 1 installed.) A release of software that adds new functionality to an earlier version Software that has a numeric or named attribute denoting its maturity or age (eg Are you on version 1 or 2?) Higher value increments indicate a more mature release, which is likely to have fewer bugs and to run better than earlier builds.
Version or build
Becta 2006
PM
1.5
PM
1.5.1
Expenditure
Patch Management may require subscriptions to vendors of antivirus and antispyware software. As spyware is a relatively new threat to school networks, we have included some additional information on this in Appendix A. Also some hardware manufacturers require you to pay for switch, BIOS and other equipment updates. Once you have bought a product, you normally receive the updates, service packs and patches for free. However, if a new version comes out and you want to move onto that, you usually have to buy the whole product or upgrade to it, for which you have to pay. Manufacturers usually provide hardware drivers at no cost as they are of no value without the purchased hardware. However, if you do not have a valid licence code or serial number for the hardware item, you may not be allowed to download the latest driver free of charge.
PM
1.5.2
People
In a complex network with a high number of components, Patch Management may require a full-time member of staff. However, most schools will allocate Patch Management roles to a technician or the network manager. The patch administrator is responsible for the keeping the network components up to date, but may delegate tasks to others such as technicians, ICT staff or users.
PM
1.5.3
Time
It takes time to keep up to date with manufacturer changes and releases to software and hardware. It also takes time to plan and perform updates and patches. When considering the resources required to maintain the network, bear in mind that the more versions of operating systems there are in your school, the more patches and releases you will have to apply, which of course takes more time. This is why we recommend that you limit the number of different types of hardware and operating systems that you buy.
PM 2 Implementation guide
PM 2.1
1 2 3
Becta 2006
A list of which patches and updates will be carried out using the Change and Release Management processes and which can be done without them For example updating antivirus definitions is unlikely to require Change Management and Release Management, as there is only a low chance of failure and impact on the users, but upgrades to operating systems should, as these are more prone to failure and the impact of failure on the users could be high. If you decide to carry out a patch or update without Change Management and Release Management, you should still log it, as a record of the information could help with future incident or problem diagnosis.
5
PM 2.2
Definition of which email attachments and internet downloads are safe to open and how this will be communicated to users.
Prepare to implement
Good preparation can make the difference between a successful implementation of Patch Management and an unsuccessful one. The first step is to identify the participants and assign roles and responsibilities. We recommend that for the initial implementation you involve as few people as possible so that the tasks can become familiar with minimum impact on the day-to-day workload of the school. The people you select to fulfil the Patch Management roles will depend on how you currently provide technical support and who is involved already. After you have assigned roles and responsibilities, it is important to ensure that those participating in the implementation and subsequent operation of the function understand what is required of them. Use the FITS OM website as training material. A start date is important for any implementation. Choose a date that you can achieve, bearing in mind that you will need to have an up-to-date list of the network components before you start. If you do not have this, you will have to allow time to carry out a full audit or implement FITS Configuration Management. Communication must take place within the implementation team to agree plans, schedule dates and so on, but it is also important to communicate externally and inform the user community of the new function. It is a good idea to send out a regular bulletin or email to keep your users informed of changes that have taken place and those that are about to happen. This keeps everyone up to date and helps to mitigate potential problems. Before you can go ahead with the implementation, you will need all the materials and tools required for the function see below for guidelines on maintaining a full up-to-date inventory and using automating tools.
Training
Start date
Communications
Materials
PM
2.2.1
Becta 2006
Type Computer Operating system Switch Antivirus Antispyware Printer Scanner PM 2.2.2
Updates BIOS, firmware, system board drivers, video driver, network driver Service packs, patches, feature packs Firmware Data file/Virus definition update Data file/Virus definition update Driver, firmware Driver, firmware
Automating tools
Installing the latest drivers, patches and updates on every computer in school can obviously take a lot of time and may seem like an endless task. However, you can speed up the process using software deployment tools. Tools such as disk imaging or patch management software, along with antivirus administration console software, can help make the task less burdensome. Disk imaging is one method of bringing several computers up to date reasonably quickly. Using Release Management you should be able to document and prepare an image in a consistent way, and then use the Change Management process to deploy the image.
PM
2.3
Role
If it is decided that the new patch or update requires Release Management, completing a build and install form (see RM Appendices D and F) will be necessary.
Becta 2006
PM
2.4
Deploy patch
Becta 2006
PM
2.4.2
PM
2.4.3
Acquire patch
The next step is to acquire the patch by downloading it from the internet, getting it sent by post or having it emailed to you. Some of the new service packs are hundreds of megabytes in size, in which case requesting those on CD will save you bandwidth and download time.
PM
2.4.4
Test patch
Test the patch on a computer or other device reserved for testing (or a limited number of live computers). The testing itself depends on what the patch claims to fix. You may be able to ascertain that the bug has been fixed, although most patches nowadays are for obscure security holes. Once you are satisfied that the computer or other device still works properly and that the patch has not created other faults, continue to the next step.
PM
2.4.5
Deploy patch
This step may involve imaging a computer and deploying the new image, or it may involve visiting every computer affected by the patch. Again, this depends on the tools you have available and the patch management strategy you employ. A point to note is that in industry, companies implement change freezes they never do changes over the pre-Christmas period, for example. In the case of schools, it is probably a good idea to have a change freeze during the first day of term and on exam days. Plan any major changes for a time when the users affected are not in school, so that there is enough time to roll back if anything should go wrong.
PM
2.4.6
Review deployment
Once you have deployed the patch, check that none of the computers with the new patch is adversely affected. Also, you need to check that the patch is installed successfully. You cannot assume that the patch has been installed on every computer, as other factors such as lack of disk space, computer shutdown or network problems may have affected the deployment.
Becta 2006
Once you have ascertained that the patch has been deployed successfully, update the configuration management database (CMDB) and/or the request for change document associated with this change. Report any incident or problem to the service desk for resolution using Incident Management or Problem Management.
PM
2.5
Pilot
To pilot your proposed Patch Management function, it is good practice to trial the changes first on a small group of computers. This enables you to experiment with the way that works best for you and your users. In a perfect world, you would have a test lab where you could experiment with different scenarios that reflected your live network. However, most schools do not have this facility, so it is best to test the implementation on a limited number of computers before going live with this function on the entire network.
PM
2.6
Do we have different versions of the same software/hardware? How long did it take to obtain the latest versions for each item? How easy was it to update each group of items? Did the changes made adversely affect any users? If so, is there anything you could do to mitigate this in the future? Do people understand their roles and responsibilities? Was each step of the implementation covered?
If necessary, consider changing the build procedure or creating additional build procedures to cater for this. Consider how you informed users and the timescales involved. Also consider any training implications of the changes made.
Inform staff of their involvement in this process and what is expected of them. If not, go back and perform this section again.
Becta 2006
PM 3 Operations guide
PM 3.1
PM
3.2
This list is not comprehensive, so you may well have other items to which you will need to apply patch management. Use the information in your CMDB to create a list of your network components that require patch management. PM 3.2.1
Computers
As soon as you take a new computer out of its box, it is already out of date! The computer industry moves very fast and within a few weeks of installation, unless you keep it up to date with critical patches, your computer may be in danger of being hacked or damaged, even with the protection of a firewall and antivirus software. To prevent this from causing problems, follow a patch maintenance schedule.
Example schedule for computers
Weekly Monthly
Check for new software patches. Check for the latest antivirus definitions. Check that spyware definitions are up to date. Check for news about new threats, new patches and new releases. Check that drivers (for example video and network) are up to date. Check antivirus engine updates. Check for new printer drivers. Check BIOS firmware.
Six monthly
Becta 2006
PM
3.2.2
Apple computers
Apple Mac workstations differ from other computers in that they can only run the Apple Mac operating system, whereas most other computers are able to run several operating systems. This guide applies to Mac OS X or later, since Apple no longer supports Mac OS 9 and earlier versions. Because of this difference, Apple machines have a more clearly defined schedule that you should follow.
Example schedule for Apple computers
Weekly
Check for software updates. Check antivirus definitions. Check for third-party software updates. Check antivirus engine updates. Check for new printer drivers. Check for new operating system version.
PM
3.2.3
Servers
Servers require more attention than personal computers, as servers are more critical. Do not make major changes to servers without going through the Change Management process. Ideally, this even applies to antivirus updates, but it is particularly vital for firmware or software patches. Using Change Management will prevent you from making changes without planning and considering all the implications of that change.
Example schedule for servers
Weekly Monthly
Check for new software patches. Check for the latest antivirus definitions. Check for new spyware definitions. Check for new drivers (for example video and network). Check antivirus engine updates. Check for new printer drivers. Check BIOS firmware.
Six monthly
PM
3.2.4
Becta 2006
10
PM
3.3
PM
3.4
How is it measured?
There are several ways of measuring Patch Management: The amount of activity (number of patches and updates installed) the process produces The number of hours per week spent on the activity The number of requests for change the process generates Percentage success rate of applied patches Percentage of patches/updates that fail testing Number of patches applied compared to patches issued.
It is worth noting the impact of not implementing Patch Management. If you do not use Patch Management, computers may become infected with viruses that spread over the network and seriously affect the reliability and security of all the school's ICT services.
PM
4.1
Patch administrator
The patch administrator is the function owner with full responsibility for ensuring that Patch Management is performed correctly. In a school, it is likely that the patch administrator role will be shared with other FITS OM function and FITS process roles. As Patch Management works closely with FITS OM Security Administration and FITS Change Management and Release Management, you can combine some of the roles. The patch administrator must keep informed about the release of new updates, drivers, patches and firmware. This may take up considerable time unless the task can be automated (for instance, by email notifications from vendors and manufacturers).
Key tasks
Becta 2006
Ensure that all operating systems and software have up-to-date service packs and patches. Keep drivers up to date. Keep firmware on hardware up to date. Keep antivirus and antispyware definitions up to date. Produce Release Management build procedures for major updates to enable other technicians to carry out the updates. Check that installations of patches and updates are successful.
FITS OM Patch Management
11
3. Have you a list of hardware and software manufacturers and the items they produce that you own? 4. Have you stored the latest copy of hardware and software updates in the definitive software library (DSL)? 5. Do you have a release plan for installing these updates? 6. Do you inform all staff about the Patch Management function and how it affects them? 7. Have you planned a pilot before implementing the function across the school? 8. Do you check whether updates were installed correctly? 9. Does the Patch Management function have an owner responsible for its day-to-day management and ongoing development? 10. Are those performing the Patch Management function aware of how to do so? 11. Are the end users of the Patch Management function aware of it and conforming to it? 12. Have you documented the activities in the Patch Management function?
Becta 2006
12
PM Appendices
PM Appendix A
Spyware
What is spyware?
A new type of threat has recently emerged in the form of spyware. Spyware is unlike a virus in that it does not replicate itself to other computers, but it can cause problems with a computers performance and send personal data back to an unknown source without the uses consent. Suppliers may bundle spyware with legitimate commercial software with the intention of collecting information for the supplier to use in further marketing or product improvements. However, any data collected and sent without the users consent or knowledge is considered spying.
What does spyware do?
Spyware can hijack your browser by changing the start page and default search page with its own copy. This can mean that your browser can be further infected with other trojans and viruses or simply annoy you with changes you did not ask for. It is well known that spyware slows computers down by taking up processor time and hard disk space doing whatever it is designed to do. Spyware usually collects and sends back information about the user. This information can include personal details (name, address and so on) plus information about websites visited or, worse, private information such as passwords or credit card information.
What can I do to protect against spyware?
These days most antivirus companies either sell antispyware software as a separate product or build it into their main antivirus product. There are also many good quality free antispyware programs available. However, these tend to be designed for manual scanning and removal, and may not provide real-time protection.
You can download the templates from the FITS OM website http://becta.org.uk/fits_om/downloads.cfm
Becta 2006
13
Appendix B
Useful links
Network administration advice and anecdotes Independent patch management mailing list Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products
http://www.thenetworkadministrator.com http://www.patchmanagement.org http://www.mcafee.com http://www.symantec.com http://www.trend.com http://www.microsoft.com http://www.sophos.com http://www.grisoft.com http://www.avast.com http://www.ca.com
You can download the templates from the FITS OM website http://becta.org.uk/fits_om/downloads.cfm
Becta 2006
14