[ISN] Patching Becoming a Major Resource Drain for Companies

From: InfoSec News (isnat_private)
Date: Tue Aug 19 2003 - 05:10:06 PDT

  • Next message: InfoSec News: "[ISN] NSA boosts credentials"

    Story by Jaikumar Vijayan 
    AUGUST 18, 2003 
    Last week's W32.Blaster worm, which affected thousands of computers
    worldwide running Windows operating systems, highlighted the enormous
    challenge companies face in keeping their systems up to date with
    patches for vulnerabilities, users said.
    Companies that, ahead of Blaster's rampage, had installed Microsoft
    Corp.'s patch for a flaw identified last month said they felt no
    effect from the worm. But the seemingly constant work involved in
    guarding against such worms is becoming a burden that could prove
    unsustainable over time, users said.
    "The thing about patching is that it is so darn reactive. And that can
    kill you," said Dave Jahne, a senior security analyst at Phoenix-based
    Banner Health System, which runs 22 hospitals.
    "You need to literally drop everything else to go take care of
    [patching]. And the reality is, we only have a finite amount of
    resources" to do that, Jahne said.
    Banner had to patch more than 500 servers and 8,000 workstations to
    protect itself against the vulnerability that Blaster exploited. "I
    can tell you, it's been one heck of an effort on a lot of people's
    part to do that," Jahne added.
    For the longer term, Banner is studying the feasibility of
    partitioning its networks in order to minimize the effect of
    vulnerabilities, he said.
    Adding to the patching problem is the fact that companies, especially
    larger and more distributed ones, need time to properly test each
    patch before they can deploy it, said Art Manion, an Internet security
    consultant at the CERT Coordination Center at Carnegie Mellon
    University in Pittsburgh.
    That's because patches haven't always worked or have broken the
    applications they were meant to protect, said Marc Willebeek-LeMair,
    chief technology officer at TippingPoint Technologies Inc., an
    Austin-based vendor of intrusion-prevention products.
    Companies also need to schedule downtime in advance to deploy such
    patches, said Kevin Ott, vice president of technology at Terra Nova
    Trading LLC, a Chicago-based financial services firm.
    "We work in a 24-by-7 environment, so there is a limited scope for
    downtime" in which to deploy patches, he said.
    But the stunning quickness at which Blaster exploited Windows' remote
    procedure call vulnerability is a sign that companies are going to
    have to respond to new threats even faster than they do today, said
    Chuck Adams, chief security officer at NetSolve Inc., an IT services
    company in Austin.
    Although worms such as SQL Slammer didn't appear until eight months
    after the vulnerability was announced, Blaster was released in just
    one month, Adams said.
    That means companies will need to somehow find ways to lessen the time
    it takes to test and deploy patches, said Vivek Kundra, director of
    infrastructure technologies for Arlington County, Va. Currently,
    Arlington County needs about three or four days to push out patches
    across its networks.
    "[Three or four days] is not going to work any longer," Kundra said.  
    "I need something that can cut the process down to a few hours, if not
    The county is looking at outsourcing its patch management process to a
    third party. Also under consideration is a plan to adopt a more
    automated process for testing and deploying software patches, Kundra
    "Sometimes [patching] can be more an art than a science," said Hugh
    McArthur, information systems security officer at Online Resources
    Corp., a McLean, Va.-based application service provider for more than
    500 financial institutions.
    "There will be times when you may need to make a judgment call
    balancing risk, appropriate testing [and] mitigating factors," he
    Even so, patching remains the best available option, according to
    Bruce Blitch, CIO at Tessenderlo Kerle Inc., a multinational chemical
    company with U.S. headquarters in Phoenix.
    "Everyone would no doubt agree that having completely error- and
    exploit-proof code would be the most desirable situation," Blitch
    said. In the absence of that, he said, "we're convinced that
    [patching] is the best strategy."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 11:02:53 PDT