Auditors have criticised US taxmen for failing to keep on top of its IT and the installation of software security patches. A report [PDF] by the US Treasury credits the IRS with upping its game in patching insecure products faster than it has done previously - but faults the agency for failing to apply a more coherent approach …
Good luck with this!
Seriously, I'm not sure if the average US citizen understand exactly how much IT property the IRS has. When you add up all of it, from the 12 man job tucked away in a corner off in BFE to the service centers, there is more IT property there than any 1 American company (possibly 2 companies). And that is just what they have accounted for so far! And the users, well they have them ALL! If you can think of a type of user, yep they have it, good and bad.
This might just be a pull to lift funding freezes or what not because this is serious spending. Otherwise, it will be the most difficult patch job any system admin can think of. Think you've seen a IT nightmare? Well step it up, and step into the world of IRS.
Re: Good luck with this!
You can pretty much substitute just about any other federal agency in that statement.
Re: Puppet Enterprise ..
Puppet would be great for deployment and patching automation...but how do you do the inventory collection, automated vulnerability detection and patch level awareness? While I believe Puppet Enterprise may in fact be the best tool available for deployment and configuration management, additional tools would be required to meet all requirements.
That said, I disagree with the assessment hat a single, unified tool exists which could properly accomplish the aims of vulnerability assement, patch level awareness, patch deployment and configuration management. Several try – Altiris, System Center, Kace, etc – but they all fall short in some way.
At current, for an organisation such as the IRS, I would be forced to recommend using a collection of "best for purpose tools" combined with a political approach of "leaning on the vendors" to ensure better integration. You'll find organisations like PuppetLabs or Zenoss (who you might want for root cause analysis monitoring for outages) to be extremely open to working with enterprises to add functionality.
Where I see issues are with ISVs. Gods only know what the IRS is actually running for software. What applications out there are aware of those myriad software bundles? What applications can sense patch level, scan for vulnerabilities and so forth across such a wide array of tech estate?
Regardless of your vendor – tier 1 or startup – the breadth of deployed software is going to be an issue with regards to monitoring, vulnerability scanning and patch level awareness. I wish we had good solutions to this as an industry. As yet, I haven't found any that don't end up with the end user writing some module or plug-in to support $esoteric_app.
IT at that level is not easy, and there are no pat solutions.
Canada Revenue Agency
We have 55,000 PCs and 20,000 laptops deployed. We use WSUS with in-building cache appliances to distribute patches, and Tivoli to pull reports. For PCs that are more than a few patches behind we get a monthly report and visit those devices to fix corrupted/broken Windows updates (a rebuild is often the best way to fix it.) Java/Flash/etc are updated automatically with Tivoli.
We don't link Tivoli's automated asset discovery and Active Directory to BMC Remedy Servicedesk yet. That means it is not completely accurate (high nineties.)
We don't permit old operating systems (Windows XP) to be connected to the network.
All pending patches are installed at bootup.
Our patch compliance rate is perhaps 99%.
AC for obv. reasons
Re: Canada Revenue Agency
"BMC Remedy Servicedesk"
That does take me back a few years.
Older operating systems such as XP might be the better route. XP has been out so long that most of it's vulnerabilities have been stitched up. W7 is not too bad. Win8 needs "a bit" of work! So much for having a newer OS.
Not allow workers to bring their "smart phones" with them to work? Good luck.
"...following the redaction of security shortcomings that hackers could have exploited."
So the report was blank?
Also, hackers exploit and and all shortcomings.