When a virus exploits known security vulnerabilities, many wonder why companies hadn't patched their systems in the first place.
This kind of thinking is easy for someone whose only experience is a personal computer. Patching a PC is usually just a matter of downloading a fix, installing it and rebooting the system.
A recent study by UK-based managed security services provider, Activis, highlights the reality for IT administrators. The study indicates that a company with an infrastructure of nine NT servers and eight firewalls, for example, would have needed 1,315 updates during the first nine months of last year. That works out to five updates per working day. Not to mention having to manage 500,000 log entries every day, the study adds.
While many shops now automatically update virus definitions, patches for security vulnerabilities still need to be installed manually.
"Although we take great pains to make certain all of our mission critical servers are patched promptly, we are lacking sometimes at rolling out these patches to our workstations," said Timothy Bruess, network manager with Learning Resources, Inc. of Vernon Hills, Ill.
On Bruess's first day of work, the company's mail server was hit with the Navdid virus, shutting down the box for hours. Security patches and virus definition updates weren't a big priority, prior to that day. In fact, new antivirus software had been purchased but was sitting on a shelf "still in the shrink wrap for close to a year," he said.
Now, antivirus definitions are automatically updated at night and all e-mail messages and attachments are scanned before being delivered. "We have not had any virus-related downtime since," he said.
For Gregg Nicholas, the local area network administrator of the Berrien County Courthouse, Saint Joseph, Mich., keeping up with all the new patches in his shop is impossible. "Too many operating systems. Too many software packages. Too many hardware variations," he said.
Patching servers in complex organizations is a lot harder than patching a PC at home. Most companies have policies in place requiring quality assurance and testing of any patches. So installing a patch requires a decent amount of work. Moreover, organizations usually have many systems that need the work, which again adds to the complexity of the job.
Moreover, many systems administrators take pride in keeping their systems updated and secure. "But then vendors (especially Microsoft) should do better security auditing of their software before releasing it," said Bill Bradford, an Austin, Texas-based Unix systems administrator.
Even being vigilant about patching isn't always enough. For example, a company may patch its half-dozen kinds of laptops and desktops and its three or four servers. But then one guy in a lab with a unprotected server facing the Internet can compromise the entire company, said Frank Prince, senior analyst at Cambridge, Mass.-based Forrester Research Inc.
Keeping systems secured and patched also involves human pressures. For example, LAN administrator Nicholas installed an early version of Outlook Security Patch, but some users complained they weren't getting needed file attachments. "That was too much security for our clients to get their work accomplished so we had to completely remove Outlook and reinstall," he said.
Many companies look at the dollars and cents of patching. Installing the patch definitely will cost money to prevent something that can only potentially happen. Companies don't take such things seriously until the risk affects them, Prince said.
"It's really just human nature. When do most people buy radar detectors? After they get a ticket for speeding," he said. Such was the case with the Code Red and Nimda worms last year. Much fewer people got Nimda because they had got Code Red and patched for it, Prince said.