Information systems administrators serve as ‘keepers of the machines’ entrusted with keeping computers updated and running smoothly. Failing to patch known software vulnerabilities can lead to devastating consequences, as critical infrastructure becomes potentially subject to crippling attacks. Conversely, deploying updates in the context of a large organization can lead to serious problems. How do administrators manage updates, and what factors impact how effectively they perform those updates?
Li et al. sent a survey to 102 US system administrators in September and October 2017. Using themes identified in a series of pilot interviews, the authors then recruited and interviewed 17 administrators, most of whom had participated in the survey beforehand. About half of the study participants worked at organizations with over 500 employees. Participants typically managed large computing infrastructures; two-thirds of them maintaining more than 100 computers.
Findings suggest that administrator update workflows consist of five stages, each with their own challenges and limitations:
1) Learning About Updates: Participants usually rely on 5 or more sources, as update information is highly dispersed. They need to be constantly browsing the news.
2) Deciding to Update: Administrators prioritize security updates, but they can be bundled with feature changes which are potentially disruptive.
3) Preparing for Update Installation: Staggered deployment and dedicated testing setups are the two main update strategies. Staggered deployment is concerning because production machines, which are the most exposed to potential attackers, are updated last.
4) Deploying Updates: Administrators often depend on custom scripts and third-party managers. The need to maintain compatibility with vendors lagging behind prevented some participants from deploying automatic updates.
5) Handling Update Issues After Deployment: Participants dealt with update problems by simply uninstalling it, thus reverting to an insecure state. They prioritized functionality over security.
Internal policies and management could also play an important role in update decisions. Freedom to apply updates could result in ad-hoc decisions by administrators, potentially resulting in poor practices. Conversely, approval requirements could delay or prevent the application of updates. Some administrators even skipped less severe updates to avoid the hassle.
Findings suggest the following potential solutions:
- Standardized and consolidated update information in a centralized repository
- Software vendors bundling security patches separately from feature patches
- Dynamic software updating allowing for live updates without restarts or downtime
- A cultural shift at organizations to recognize the importance of expedient updates
Software updates are too often unreliable and system administrators prioritize functionality over security in their updating practices.