January 25, 2003–the Internet was brought to its knees. Officiating bully–the
SQLSlammer worm. "You had it coming," it said. The SQLSlammer worm
exploited a vulnerability in SQL Server 2000, for which Microsoft had already
released a patch over six months ago! Gartner reports the amazing fact that over
90% of the security exploits are carried out through vulnerabilities for which
there are known patches.
|
In an interconnected world, it is critical for system administrators to keep
their systems patched to the most secure level. Bugs are the baggage that all SW
releases carry–you have to live with them. Brace yourself to patch perennially–make
it a way of life. Estimates for the number of bugs in published software range
from five to 20 bugs per 1,000 lines of code. This, for instance, translates to
a mind-numbing 175,000 to 700,000 potential bugs within Windows 2000.
Most security-related bugs come to light only after a large number of users
begin to work with the software and hackers begin to compromise it. Once a
security-bug is discovered, attackers spread information about it quickly
throughout the swarming black hat community. Therefore, time is of essence, and
software companies strive to release a security patch as soon as possible.
However, until you deploy the patch, you are exposed!
For an effective patch-management process you need to take an inventory of
your entire IT infrastructure. The inventory must contain details of all
systems; the OS and applications, including version; patches applied; and any
known but un-patched threats to the systems and vulnerabilities within them. The
inventory must be updated to the closest moment.
When a new patch is released, you need to decide if indeed it applies to your
situation–you don’t need to install every patch that is released. But once
you decide to use a patch, testing is a must. It is best to set up a patch-test
domain on a private network–if the patch is successful in the test
environment, roll it out to a production environment. But, before doing that,
back up production systems.
Patch management today is a Herculean task–even experienced system
administrators balk at the sheer volume of patches being released. Applying
patches to multiple servers may seem a daunting task, especially while
implementing these on hundreds or thousands of desktop systems. As a
consequence, OS and application vendors now increasingly provide free tools to
help users. For instance, Microsoft provides Windows Update, and the Baseline
Security Analyzer. A number of third-party tools are also available to help with
patch management by automatically distributing updates to end-user computers.
The automated tools also have inbuilt management functions that permit
administrators to define patch-management policies, prepare detailed system
inventories, monitor patch status and vulnerabilities, and customize patch
rollouts. Popular tools available from Bigfix, Configuresoft, Patchlink, St
Bernard Software, McAfee ASaP, and Shavlik Technologies eliminate the burden of
patch management in Windows, Unix, and Linux environments.
The consequences of failing to implement a comprehensive patch management
strategy can be severe, with a direct impact on the bottom line of the
organization. Mission-critical production systems can fail, and
security-sensitive systems can be exploited, all leading to a loss of time and
subsequent business revenue. On January 22, Microsoft issued its first security
bulletin of this year–about a critical security bug affecting Windows NT 4.0,
Windows 2000, and Windows XP. So have you patched your system?
The author is the CEO of Secure Synergy, a technology consulting services
company