I finished reading SANS writeup of the patches that MS released on Patch Tuesday. I noticed that there were three patches that were labeled "Critical." As I am not the system/network admin, I passed the reviews on to my co-worker; who is the admin. His response was "Maybe we'll get to them. The AV signatures are up-to-date and the spam filter is up-to-date." Plus, he added, the firewall has been running without a problem. (Not that he would actually know, the logs only get reviewed when there is an incident.)
We use Microsoft's patch server in house (I forget the name of it.) That is, administratively, the admin decides what patches to get from Microsoft, the server fetches the patches, then pushes the patches out to the client machines. How many times is this done a year? Maybe twice. Maybe.
I believe we should be doing this EVERY month. While we might have bolstered defenses in anti-virus, spam detection and firewall rules, what happens if the threat comes from INSIDE the perimeter? I know we have users that click on links in spam email. What if one of those links downloads something malicious? Once it is inside, we could be done.
This same admin refuses to patch the servers, using basically the same logic. "The servers are inside the DMZ, nothing should get to them."
I'm usually the first of the IT guys in the building in the morning. I walk past the server room, just to make sure the lights are on all of the server. I know there's a day coming when they won't.
Any thoughts on how to "persuade" the admin to patch more frequently?