12.0 Best Practice with ZENworks 11 SP3 Patch Management

Patch Management is a fully integrated feature of Novell ZENworks 11 SP3 that provides the same agent-based patch, vulnerability patch, and compliance management solution that was used in prior versions.

It is recommended that all moderate to large-size organizations should be using enterprise patch management tools for the majority of their computers. Even small organizations should be migrating to some form of automated patching tool. Widespread manual patching of computers is becoming ineffective as the number of patches that need to be installed grows and as attackers continue to develop and exploit code more rapidly. Only uniquely configured computers and other computers that cannot be updated effectively through automated means, such as many appliance-based devices, should continue to be patched manually.

The ZENworks Server schedules a Discover Applicable Updates (DAU) task for all ZENworks managed devices (servers and workstations) and compiles information on the operating system, hardware, and software.

The results of the scan are sent to the ZENworks Server and can be viewed anytime in the Patches section under the Patch Management tab or in the Devices tab even if a workstation is disconnected from your network.

Timely patching of security issues is generally recognized as critical to maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is one of the most common issues identified by security and IT professionals. New patches are released daily, and it is often difficult for even experienced system administrators to keep abreast of all the new patches and ensure proper deployment in a timely manner. Most major attacks in the past few years have targeted known vulnerabilities for which patches existed before the outbreaks. Indeed, the moment a patch is released, attackers make a concerted effort to reverse engineer the patch swiftly (measured in days or even hours), identify the vulnerability, and develop and release exploit code. Thus, the time immediately after the release of a patch is ironically a particularly vulnerable moment for most organizations due to the time lag in obtaining, testing, and deploying a patch.

It is highly recommended that before any Patch management takes place, that within your company or organization you set up a Patch and Vulnerability Group (PVG) to manage the patching process. This group should be concerned with the Patching and Vulnerability operation across the organization, and should therefore be an exclusive group with ties to your security, asset management and network control groups.

The PVG should be specially tasked to implement the patch and vulnerability management program throughout the organization. The PVG is the central point for vulnerability remediation efforts, such as OS and application patching and configuration changes. Since the PVG needs to work actively with local administrators, large organizations may need to have several PVGs; they could work together or be structured hierarchically with an authoritative top-level PVG. The duties of a PVG should include the following: 1. Inventory the organization’s IT resources to determine which hardware equipment, operating systems, and software applications are used within the organization. 2. Monitor security sources for vulnerability announcements, patch and non-patch remediations, and emerging threats that correspond to the software within the PVG’s system inventory. 3. Prioritize the order in which the organization addresses remediating vulnerabilities. 4. Create a database of remediations that need to be applied to the organization. 5. Conduct testing of patches and non-patch remediations on IT devices that use standardized configurations. 6. Oversee vulnerability remediation. 7. Distribute vulnerability and remediation information to local administrators. 8. Perform automated deployment of patches to IT devices using enterprise patch management tools. 9. Configure automatic update of applications whenever possible and appropriate. 10. Verify vulnerability remediation through network and host vulnerability scanning. 11. Train administrators on how to apply vulnerability remediations.