It seems every month a new piece of malicious code takes advantage of a known security vulnerability, leading many to wonder why companies don't patch their vulnerable systems.
Installing patches is not always easy for overworked IT staffs. Not only are there time issues, but also, some worry about the effects a patch may have on systems. Others just don't pay enough attention to alerts and software vulnerabilities. But proper management of vulnerabilities will become an ever-increasing issue.
Security experts lay some of the blame for the Klez-G worm last week, for example, on IT administrators not patching a vulnerability in Microsoft Outlook. A flaw in Outlook would allow the worm to automatically execute when the message is simply opened. A patch for the flaw has been available for two years.
Similarly, earlier this month, Microsoft released a patch covering 10 vulnerabilities in its Internet Information Server (IIS). At some point, look out for attackers to use those vulnerabilities, said Tim Mullen, CIO and chief software architect for AnchorIS.com
The first place to begin managing vulnerabilities is finding out about them. E-mail security bulletins from software makers and advisory groups are a good way to keep abreast of them.
For companies that want to go one step further, namely isolating specific vulnerabilities with their own systems, available tools can help identify risks and provide ways to mitigate them, said Andrew Moffat, CEO of EDUCOM TS Inc., an Ottawa-based software development firm specializing in e-mail management.
Moffat's company uses NET Zetetic Network Vulnerability Assessment, an application that measures online security risks by examining communication services, operating systems, applications and routers. The product also provides advice about addressing the risks and other data for use in preparing a security policy, Moffat said.
For users without such an application, they will have to figure out whether a certain warning about a vulnerability affects them. "We're religious about following up on security issues right away," said Dale Jackaman, director of information technology systems at BC Research Inc. in Vancouver. "An intimate knowledge of our systems is the only way to determine if the risk exists."
So once a company knows it has a vulnerability, it is ready to begin patching.
But, keeping up with patches and software updates, however, can be a daunting task. A recent study by UK-based managed security services provider, Activis, found a sample installation would require five updates per working day. The study looked at a shop with nine NT servers and eight firewalls that would need 1,315 updates during the first nine months of last year. This is in addition to managing 500,000 log entries every day.
Test, lest you get burned
Companies would be wise to invest in testing facilities for patches, Mullen said. Should a glitch occur with a patch, it's much easier to fix when it's done on a test machine rather than one in production, he said.
Jackaman admits they've been burned a time or two by not testing patches. For key applications, they check newsgroups before installing anything to learn about any potential problems.
"Most do not test patches," Mullen said. "A high percentage say they do. It's a case of do as I say not as I do." Those IT workers probably figure they can handle anything that arises when a patch is applied.
Others don't apply the patches at all. Moffat sees patching as an accountability issue. "You can be certain that IT managers would apply patches 100% of the time, if they believed that they would lose their job if they were breached and adequate efforts were not exerted to ensure all the patches were implemented."
However, Ed Tittel, president of LANWrights, Inc., sees the issue as more a lack of awareness, urgency or "a real understanding of the potential for loss and damage that failing to act can cause is what's really involved."
Time is yet another factor. "IT staff are stretched so thin, and executive management so out of touch with the realities and priorities of security needs, that many have just let their systems slide," Jackaman said.