Patching a Major Drain for Companies

August 2003

The W32.Blaster worm, which affected thousands of computers worldwide running Windows operating systems, highlighted the enormous challenge companies face in keeping their systems up to date with patches for vulnerabilities, users said.

Companies that, ahead of Blaster's rampage, had installed Microsoft Corp.'s patch for a flaw identified last month said they felt no effect from the worm. But the seemingly constant work involved in guarding against such worms is becoming a burden that could prove unsustainable over time, users said.

Adding to the patching problem is the fact that companies, especially larger and more distributed ones, need time to properly test each patch before they can deploy it, said Art Manion, an Internet security consultant at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

That's because patches haven't always worked or have broken the applications they were meant to protect, said Marc Willebeek-LeMair, chief technology officer at TippingPoint Technologies Inc., an Austin-based vendor of intrusion-prevention products.

Companies also need to schedule downtime in advance to deploy such patches, said Kevin Ott, vice president of technology at Terra Nova Trading LLC, a Chicago-based financial services firm.

"We work in a 24-by-7 environment, so there is a limited scope for downtime" in which to deploy patches, he said.

But the stunning quickness at which Blaster exploited Windows' remote procedure call vulnerability is a sign that companies are going to have to respond to new threats even faster than they do today, said Chuck Adams, chief security officer at NetSolve Inc., an IT services company in Austin.

Although worms such as SQL Slammer didn't appear until eight months after the vulnerability was announced, Blaster was released in just one month, Adams said.

That means companies will need to somehow find ways to lessen the time it takes to test and deploy patches, said Vivek Kundra, director of infrastructure technologies for Arlington County, Va. Currently, Arlington County needs about three or four days to push out patches across its networks.

"Three or four days is not going to work any longer," Kundra said. "I need something that can cut the process down to a few hours, if not minutes."

The county is looking at outsourcing its patch management process to a third party. Also under consideration is a plan to adopt a more automated process for testing and deploying software patches, Kundra said.

"Sometimes patching can be more an art than a science," said Hugh McArthur, information systems security officer at Online Resources Corp., a McLean, Va.-based application service provider for more than 500 financial institutions.

"There will be times when you may need to make a judgment call balancing risk, appropriate testing and mitigating factors," he said.

Even so, patching remains the best available option, according to Bruce Blitch, CIO at Tessenderlo Kerle Inc., a multinational chemical company with U.S. headquarters in Phoenix.

"Everyone would no doubt agree that having completely error- and exploit-proof code would be the most desirable situation," Blitch said. In the absence of that, he said, "we're convinced that patching is the best strategy."

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion