Another Patch Tuesday is just around the corner, and I feel an urge to rant.
In reality, the actual day each month is just a part of an ongoing cycle. Like a coach’s preparation for the next football game on the schedule. We even tell our rookies, “Don’t worry, we’ve got this down to a science. Just study the playbook and learn the system.”
We scout, breakdown the patch details, analyze the impact, discuss strategy, watch film, highlight strengths and weaknesses, suggest alternatives and finally build a game plan. Actually, I’m exaggerating – but only on the film part.
Here’s the routine… During the first week of the month, we realize that our infrastructure is coming up on that time of the month again. We typically ask: How many patches in this round?
As we approach the big day, we read up on this month’s patches. Are they critical? What if we wait? Should we test them first or just trust the fixes? We call-in to the MS-ISAC’s (or other organization’s) monthly call on patches and check their dashboard for potential critical alerts.
After “the game,” we heal-up as we get ready for next team – I mean patch. That is, unless an emergency update comes along.
Our Network History According To Patch Tuesday
Almost like forecasting the weather and/or analyzing the results after a big storm, Patch Tuesday is an ongoing topic for computer infrastructure support teams. Veteran security pros remember the good, the bad and the ugly regarding viruses, malware and Patch Tuesday. We tell new interns to gather round and we’ll share stories from the past. We could probably create a “Patch Tuesday Hall of Fame” to remember from where we have come.
Do these headlines ring a bell?
Actually, Wikipedia claims that Microsoft officially began Patch Tuesday in October 2003, although regularly scheduled patches have been released on the second Tuesday of each month since the launch of Windows 98.
And this is so much fun, other vendors, like Adobe, have occasionally decided to join in on the Patch Tuesday action. Vendors like Symantec and McAfee are constantly updating their anti-virus signatures, and our teams often ask what zero days attacks can be stopped by different versions of antivirus protection mixed with various operating system patches.
Will there be a new YouTube Channel for Patches in the future? Could this become Reality TV for geeks?
After getting this far, some readers will no doubt think that I am just bashing Microsoft. Actually, that’s not my purpose. I am a fan of Microsoft, Bill Gates, Steve Ballmer and most things coming out of Redmond, Washington. I am lifetime user – from MS DOS to Windows 95 to Windows NT to Windows 7. My family has owned dozens of computers and laptops running Microsoft software over the past three decades in the UK and USA.
I’ve come to think of Patch Tuesday (and other software and operating system updates and upgrades) as a necessary part of life – like cleaning the garage. Somebody has to do this work. Someone has to configure everything when the new PCs get unpacked. I have fond memories of my first Windows-based PC, and I’ve never second-guessed my decision to NOT move to a MAC.
Nor do I want to get dozens of emails from companies telling me that they have a better way for the Michigan government enterprise or my family to apply patches easier (been there and done that) –or- that we need to move to Open Source or convert to all Apple or Google or some other software for all of our computing needs. (Yes – I have an iPad and an iPhone.)
Actually, I appreciate all the work that goes into keeping us safe online - fixing bugs, sounding alarms and upgrading functionality. I know that the bad guys will always try to break into our PCs and servers no matter what. When you’re a long-standing top dog, like Microsoft has been over many years, everyone is shooting at you. I am thankful that they do what they do. Like Hadrian’s Wall from Ancient Roman times, Microsoft has usually protected us on the digital frontier since the early days of the global Internet. Truth be told, cybersecurity challenges as well as support of operating systems are getting more complex and the problems more daunting in 2012. Patch Tuesday is just an industry poster-child for all of this front-line effort.
Nevertheless, it doesn’t mean that I can’t hope that someday…., perhaps…, things will be different. I won’t get that sinking feeling when I see that my PC needs to download and install 20 new updates over the next 30 minutes before my PC is happy again or my shutdown is complete. Our bulletins to systems admins, database admins, security pros and others will be a little less frequent.
Our Future: Window 8 and Windows RT?
Lately, the headlines have declared that PC sales are dropping sharply. It remains to be seen if this is because people are just waiting for Windows 8 or moving away from the laptop and desktops entirely. Some may be moving to Google or Apple or Microsoft’s new Surface RT tablet. Or, is the global economy a factor?
Regardless, as we prepare for the next rollout (at home and work), I’ve started to ponder the age-old question: Will Patch Tuesday ever end? I doubt it, since Microsoft has already announced a massive patch prior to the public release of Windows 8. Of course, they can always change the name of Patch Tuesday, but not the ongoing work. I’m not predicting the end of an era either, since many IT managers prefer Microsoft technology.
I also realize that an entire industry has developed from Patch Tuesday. I suspect that this part of infrastructure support life will continue for many years to come. Every major vendor has vulnerabilities, fixes, new releases, mistakes and just plain upgrades with new features. For most of us, it is just a part of online life – like changing oil in your (real-world) car.
Still, I think no regular event is more of an ongoing support headache for the tech industry than Patch Tuesday. Our enterprises follow, study, refine, fear, talk-about and act on Patch Tuesday more than many other areas of infrastructure, month after month, year after year. Sure other “sexier” topics grab the headlines temporarily, but Patch Tuesday is always waiting for us like the next game on the schedule.
And no CIO, CTO or CSO would mind hitting the delete button – if only the problems would go away with the patches. What’s your experience with Patch Tuesday?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.