Last week, I heard a webcast in which the presenter repeated some advice from 2004: Patch things like your financial systems first, and your workstations last.
Workstations need to be first.
This is just a case of the threat landscape changing. In 2004, we weren’t getting browser patches every month, and we believed Acrobat Reader and Flash were secure. So it made sense to prioritize your servers that had the most sensitive information on them.
Today things are different, or at least they should be. Ideally your sensitive servers are segmented off from the rest of your network and you have limits on what other systems can even touch them. HR servers, for example, shouldn’t be able to talk to anything but the domain controllers and the HR workstations. You can use VLANs and ACLs to create similar restrictions in every department. Doing these things isn’t a substitute for patching, but it certainly removes some of the urgency.
Since your servers are, ideally, isolated from one another and from the Internet and hardened, the way in and out of your network is through the workstations. That’s also where the vulnerabilities are, in Flash and web browsers, mostly.
Workstations are also the easiest to recover. A good shop ought to be able to spin up a new workstation in a matter of minutes, and moving data from a busted workstation to a new one only takes a few minutes as well. So workstations are the lowest-risk machines to patch, which makes them the perfect place to start. In security you don’t get happy coincidences like this very often, so it behooves us to take advantage of them when they do.