Advertisment

Patched Up Your System Lately?

author-image
DQI Bureau
New Update

January 25, 2003–the Internet was brought to its knees. Officiating bully–the

SQLSlammer worm. "You had it coming," it said. The SQLSlammer worm

exploited a vulnerability in SQL Server 2000, for which Microsoft had already

released a patch over six months ago! Gartner reports the amazing fact that over

90% of the security exploits are carried out through vulnerabilities for which

there are known patches.

Advertisment

"Security

bugs are the baggage all SW releases carry. Brace yourself to patch

all the time–make it a way of life
"

Felix

Mohan

In an interconnected world, it is critical for system administrators to keep

their systems patched to the most secure level. Bugs are the baggage that all SW

releases carry–you have to live with them. Brace yourself to patch perennially–make

it a way of life. Estimates for the number of bugs in published software range

from five to 20 bugs per 1,000 lines of code. This, for instance, translates to

a mind-numbing 175,000 to 700,000 potential bugs within Windows 2000.

Most security-related bugs come to light only after a large number of users

begin to work with the software and hackers begin to compromise it. Once a

security-bug is discovered, attackers spread information about it quickly

throughout the swarming black hat community. Therefore, time is of essence, and

software companies strive to release a security patch as soon as possible.

However, until you deploy the patch, you are exposed!

Advertisment

For an effective patch-management process you need to take an inventory of

your entire IT infrastructure. The inventory must contain details of all

systems; the OS and applications, including version; patches applied; and any

known but un-patched threats to the systems and vulnerabilities within them. The

inventory must be updated to the closest moment.

When a new patch is released, you need to decide if indeed it applies to your

situation–you don’t need to install every patch that is released. But once

you decide to use a patch, testing is a must. It is best to set up a patch-test

domain on a private network–if the patch is successful in the test

environment, roll it out to a production environment. But, before doing that,

back up production systems.

Patch management today is a Herculean task–even experienced system

administrators balk at the sheer volume of patches being released. Applying

patches to multiple servers may seem a daunting task, especially while

implementing these on hundreds or thousands of desktop systems. As a

consequence, OS and application vendors now increasingly provide free tools to

help users. For instance, Microsoft provides Windows Update, and the Baseline

Security Analyzer. A number of third-party tools are also available to help with

patch management by automatically distributing updates to end-user computers.

Advertisment

The automated tools also have inbuilt management functions that permit

administrators to define patch-management policies, prepare detailed system

inventories, monitor patch status and vulnerabilities, and customize patch

rollouts. Popular tools available from Bigfix, Configuresoft, Patchlink, St

Bernard Software, McAfee ASaP, and Shavlik Technologies eliminate the burden of

patch management in Windows, Unix, and Linux environments.

The consequences of failing to implement a comprehensive patch management

strategy can be severe, with a direct impact on the bottom line of the

organization. Mission-critical production systems can fail, and

security-sensitive systems can be exploited, all leading to a loss of time and

subsequent business revenue. On January 22, Microsoft issued its first security

bulletin of this year–about a critical security bug affecting Windows NT 4.0,

Windows 2000, and Windows XP. So have you patched your system?

The author is the CEO of Secure Synergy, a technology consulting services

company

Advertisment