Patching Becoming a Major Resource Drain for Companies

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,84083,00.html

Story by Jaikumar Vijayan 
COMPUTERWORLD 
AUGUST 18, 2003 

Last week's W32.Blaster worm, which affected thousands of computers
worldwide running Windows operating systems, highlighted the enormous
challenge companies face in keeping their systems up to date with
patches for vulnerabilities, users said.

Companies that, ahead of Blaster's rampage, had installed Microsoft
Corp.'s patch for a flaw identified last month said they felt no
effect from the worm. But the seemingly constant work involved in
guarding against such worms is becoming a burden that could prove
unsustainable over time, users said.

"The thing about patching is that it is so darn reactive. And that can
kill you," said Dave Jahne, a senior security analyst at Phoenix-based
Banner Health System, which runs 22 hospitals.

"You need to literally drop everything else to go take care of
[patching]. And the reality is, we only have a finite amount of
resources" to do that, Jahne said.

Banner had to patch more than 500 servers and 8,000 workstations to
protect itself against the vulnerability that Blaster exploited. "I
can tell you, it's been one heck of an effort on a lot of people's
part to do that," Jahne added.

For the longer term, Banner is studying the feasibility of
partitioning its networks in order to minimize the effect of
vulnerabilities, he said.

Adding to the patching problem is the fact that companies, especially
larger and more distributed ones, need time to properly test each
patch before they can deploy it, said Art Manion, an Internet security
consultant at the CERT Coordination Center at Carnegie Mellon
University in Pittsburgh.

That's because patches haven't always worked or have broken the
applications they were meant to protect, said Marc Willebeek-LeMair,
chief technology officer at TippingPoint Technologies Inc., an
Austin-based vendor of intrusion-prevention products.

Companies also need to schedule downtime in advance to deploy such
patches, said Kevin Ott, vice president of technology at Terra Nova
Trading LLC, a Chicago-based financial services firm.

"We work in a 24-by-7 environment, so there is a limited scope for
downtime" in which to deploy patches, he said.

But the stunning quickness at which Blaster exploited Windows' remote
procedure call vulnerability is a sign that companies are going to
have to respond to new threats even faster than they do today, said
Chuck Adams, chief security officer at NetSolve Inc., an IT services
company in Austin.

Although worms such as SQL Slammer didn't appear until eight months
after the vulnerability was announced, Blaster was released in just
one month, Adams said.

That means companies will need to somehow find ways to lessen the time
it takes to test and deploy patches, said Vivek Kundra, director of
infrastructure technologies for Arlington County, Va. Currently,
Arlington County needs about three or four days to push out patches
across its networks.

"[Three or four days] is not going to work any longer," Kundra said.  
"I need something that can cut the process down to a few hours, if not
minutes."

The county is looking at outsourcing its patch management process to a
third party. Also under consideration is a plan to adopt a more
automated process for testing and deploying software patches, Kundra
said.

"Sometimes [patching] can be more an art than a science," said Hugh
McArthur, information systems security officer at Online Resources
Corp., a McLean, Va.-based application service provider for more than
500 financial institutions.

"There will be times when you may need to make a judgment call
balancing risk, appropriate testing [and] mitigating factors," he
said.

Even so, patching remains the best available option, according to
Bruce Blitch, CIO at Tessenderlo Kerle Inc., a multinational chemical
company with U.S. headquarters in Phoenix.

"Everyone would no doubt agree that having completely error- and
exploit-proof code would be the most desirable situation," Blitch
said. In the absence of that, he said, "we're convinced that
[patching] is the best strategy."


 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.