Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Virus and Vulnerability Roundup
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Patching Becoming a Major Resource Drain for Companies

Need to stay on top of threats such as Blaster poses burden to users
 

Sign up to receive Security Resource Alerts

August 18, 2003 (Computerworld) -- Last week's W32.Blaster worm, which affected thousands of computers worldwide running Windows operating systems, highlighted the enormous challenge companies face in keeping their systems up to date with patches for vulnerabilities, users said.
Companies that, ahead of Blaster's rampage, had installed Microsoft Corp.'s patch for a flaw identified last month said they felt no effect from the worm. But the seemingly constant work involved in guarding against such worms is becoming a burden that could prove unsustainable over time, users said.
"The thing about patching is that it is so darn reactive. And that can kill you," said Dave Jahne, a senior security analyst at Phoenix-based Banner Health System, which runs 22 hospitals.
"You need to literally drop everything else to go take care of [patching]. And the reality is, we only have a finite amount of resources" to do that, Jahne said.
Banner had to patch more than 500 servers and 8,000 workstations to protect itself against the vulnerability that Blaster exploited. "I can tell you, it's been one heck of an effort on a lot of people's part to do that," Jahne added.
For the longer term, Banner is studying the feasibility of partitioning its networks in order to minimize the effect of vulnerabilities, he said.
Adding to the patching problem is the fact that companies, especially larger and more distributed ones, need time to properly test each patch before they can deploy it, said Art Manion, an Internet security consultant at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
That's because patches haven't always worked or have broken the applications they were meant to protect, said Marc Willebeek-LeMair, chief technology officer at TippingPoint Technologies Inc., an Austin-based vendor of intrusion-prevention products.
Companies also need to schedule downtime in advance to deploy such patches, said Kevin Ott, vice president of technology at Terra Nova Trading LLC, a Chicago-based financial services firm.
"We work in a 24-by-7 environment, so there is a limited scope for downtime" in which to deploy patches, he said.
But the stunning quickness at which Blaster exploited Windows' remote procedure call vulnerability is a sign that companies are going to have to respond to new threats even faster than they do today, said Chuck Adams, chief security officer at NetSolve Inc., an IT services company in Austin.
Although worms such as SQL Slammer didn't appear until eight months after the vulnerability was announced, Blaster was released in just one month, Adams said.
That means companies will need to somehow find ways to lessen the time it takes to test and deploy patches, said Vivek Kundra, director of infrastructure technologies for Arlington County, Va. Currently, Arlington County needs about three or four days to push out patches across its networks.
"[Three or four days] is not going to work any longer," Kundra said. "I need something that can cut the process down to a few hours, if not minutes."
The county is looking at outsourcing its patch management process to a third party. Also under consideration is a plan to adopt a more automated process for testing and deploying software patches, Kundra said.
"Sometimes [patching] can be more an art than a science," said Hugh McArthur, information systems security officer at Online Resources Corp., a McLean, Va.-based application service provider for more than 500 financial institutions.
"There will be times when you may need to make a judgment call balancing risk, appropriate testing [and] mitigating factors," he said.
Even so, patching remains the best available option, according to Bruce Blitch, CIO at Tessenderlo Kerle Inc., a multinational chemical company with U.S. headquarters in Phoenix.
"Everyone would no doubt agree that having completely error- and exploit-proof code would be the most desirable situation," Blitch said. In the absence of that, he said, "we're convinced that [patching] is the best strategy."




Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
Patching Becoming a Major Resource Drain for Companies
"A video is making the rounds showing how Vista SP1 has significantly improved Vista's immensely annoying User Account Control (UAC)...." Read more...
"So are you getting excited about a nice, long weekend for Memorial Day? Well, before you start cooking hot dogs..." Read more...
Read more Security posts or See all Blogs
Mozilla launches Firefox 3.0 RC1 early
Microsoft: Don't misunderstand UAC, other Vista features
HP confirms XP SP3 endless reboot snafu, promises patch
More top stories...
Microsoft pulls Windows Home Server backup feature
Yahoo tells Icahn that its own board knows best
Tools circulate that crack Debian, Ubuntu keys
Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive.
These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't.
Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle.
Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone

Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Universal Threat Management - Because Conventional UTM is Not Enough!
Get this white paper now!
(Source: Juniper Networks) This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Securing Financial Services Beyond the Perimeter
Intercept Spam & Viruses With MessageLabs
Meeting PCI Compliance with SonicWALL Global Management System
View more whitepapers 

2008 Internet Security Trends Report
For a time, security controls designed to manage spam, viruses, and malware were working. Loud, high-impact attacks abated. But, as a result of this success, the threats they protected against were forced to change. In 2007, many of these threats underwent significant adaptation. Malware went stealth, and the sophistication increased.

Download this white paper 
Multi-layer Spam Defense Architectural Overview
Today’s spam attacks have become too sophisticated for earlier-generation spam systems. These systems share a common weakness – relying heavily on analyzing content that can easily be manipulated by spammers. State of the art anti-spam systems must go beyond content examination and analyze messages in the full context in which they are sent.

Download this white paper 
Data Loss Prevention Best Practices
Data loss prevention (DLP) is a serious issue for companies, as the number of incidents (and the cost to those experiencing them) continues to increase. Whether it’s a malicious attempt, or an inadvertent mistake, data loss can diminish a company’s brand, reduce shareholder value, and damage the company’s goodwill and reputation.

Download this white paper