http://www.computerworld.com/securitytopics/security/story/0,10801,84083,00.html Story by Jaikumar Vijayan COMPUTERWORLD AUGUST 18, 2003 Last week's W32.Blaster worm, which affected thousands of computers worldwide running Windows operating systems, highlighted the enormous challenge companies face in keeping their systems up to date with patches for vulnerabilities, users said. Companies that, ahead of Blaster's rampage, had installed Microsoft Corp.'s patch for a flaw identified last month said they felt no effect from the worm. But the seemingly constant work involved in guarding against such worms is becoming a burden that could prove unsustainable over time, users said. "The thing about patching is that it is so darn reactive. And that can kill you," said Dave Jahne, a senior security analyst at Phoenix-based Banner Health System, which runs 22 hospitals. "You need to literally drop everything else to go take care of [patching]. And the reality is, we only have a finite amount of resources" to do that, Jahne said. Banner had to patch more than 500 servers and 8,000 workstations to protect itself against the vulnerability that Blaster exploited. "I can tell you, it's been one heck of an effort on a lot of people's part to do that," Jahne added. For the longer term, Banner is studying the feasibility of partitioning its networks in order to minimize the effect of vulnerabilities, he said. Adding to the patching problem is the fact that companies, especially larger and more distributed ones, need time to properly test each patch before they can deploy it, said Art Manion, an Internet security consultant at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. That's because patches haven't always worked or have broken the applications they were meant to protect, said Marc Willebeek-LeMair, chief technology officer at TippingPoint Technologies Inc., an Austin-based vendor of intrusion-prevention products. Companies also need to schedule downtime in advance to deploy such patches, said Kevin Ott, vice president of technology at Terra Nova Trading LLC, a Chicago-based financial services firm. "We work in a 24-by-7 environment, so there is a limited scope for downtime" in which to deploy patches, he said. But the stunning quickness at which Blaster exploited Windows' remote procedure call vulnerability is a sign that companies are going to have to respond to new threats even faster than they do today, said Chuck Adams, chief security officer at NetSolve Inc., an IT services company in Austin. Although worms such as SQL Slammer didn't appear until eight months after the vulnerability was announced, Blaster was released in just one month, Adams said. That means companies will need to somehow find ways to lessen the time it takes to test and deploy patches, said Vivek Kundra, director of infrastructure technologies for Arlington County, Va. Currently, Arlington County needs about three or four days to push out patches across its networks. "[Three or four days] is not going to work any longer," Kundra said. "I need something that can cut the process down to a few hours, if not minutes." The county is looking at outsourcing its patch management process to a third party. Also under consideration is a plan to adopt a more automated process for testing and deploying software patches, Kundra said. "Sometimes [patching] can be more an art than a science," said Hugh McArthur, information systems security officer at Online Resources Corp., a McLean, Va.-based application service provider for more than 500 financial institutions. "There will be times when you may need to make a judgment call balancing risk, appropriate testing [and] mitigating factors," he said. Even so, patching remains the best available option, according to Bruce Blitch, CIO at Tessenderlo Kerle Inc., a multinational chemical company with U.S. headquarters in Phoenix. "Everyone would no doubt agree that having completely error- and exploit-proof code would be the most desirable situation," Blitch said. In the absence of that, he said, "we're convinced that [patching] is the best strategy." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 11:02:53 PDT