Monday, December 01, 2003

In need of a quick fix

In need of a quick fix:

Agencies turn to automated patch-delivery tools to counter fast-moving security threats

BY Rutrell Yasin
Dec. 1, 2003

Anyone who has ever tried to keep up with software patches knows the struggle can be akin to being trapped in a horror movie” something like 'A Nightmare on Patch Street.' Yet, with system security becoming more important in a networked world, managing all of those patches is increasingly a mission-critical function.

If agencies weren't already aggressively applying patches to fix critical security flaws, then the onslaught of computer worms that globally disrupted network operations last summer probably gave them a new sense of urgency.

Last August, the Blaster worm and its Welchia variant underscored the need for better procedures and tools for applying patches as soon as vulnerabilities are exposed.

There is little doubt that they are portents of things to come. Worms or malicious code can exploit a security flaw shortly after it has been exposed. These two worms exploited a remote procedure call vulnerability in several versions of Microsoft Corp. Windows software, overloading systems with self-generating bogus traffic.

Indeed, information technology managers in both the public and private sectors are finding it increasingly difficult to keep up with patches as the length of time continues to shrink between the awareness of vulnerabilities and the introduction of worms that exploit them."

COMMENT:
=================================================
We agree that any comprehensive enterprise security risk management program should include automated patch management. Shavlik is one of our favorites here based upon our experience. However, it is only a small percentage of the total solution. With automated scanning and deployment of security patches to thousands of computers you would think that this solves the problem. Before purchasing any COTS (commercial off the shelf) solution, you should make sure that the product has been certified and tested to be in compliance with security criteria. Areas such as data and system integrity, security administration, guidance documentation and security functionality and scalability are key aspects of a sound software application. While patch management is a piece of the puzzle, you will still need to address policy, threat, asset, risk and incident management as part of a holistic program.