Patch management is an essential task for the network administrator, thanks to the constant threat of new security holes. Some companies wait for an attack before taking action to protect themselves from further threats, while others patch as often as possible.
Determining what to patch and when is one of the biggest problems facing enterprises. An expert panel at an Information Security Decisions conference in Chicago said the ever-diminishing window of time between vulnerability's announcement and an exploit's release makes it crucial to analyse and patch the areas most likely to be attacked first.
I always urge people to rate the patches themselves. Patches are often rated arbitrarily. Ask yourself whether a 'critical' patch is critical to your organisation and look at the risk involved. For example, a denial of service is ranked as a low-level threat by Microsoft, but could be critical to an online bank.
One example of a security breach was the CodeRed virus which infected over 250,000 systems within just nine hours of its discovery. The original CodeRed caused a Denial of Service (DoS) attack on the Whitehouse webserver. CodeRed II was different in that it gave its creator full remote access to the webserver.
Locate and deploy
Patching networks consists of scanning machines for any missing patches and deploying those as soon as they become available. If a network is not patched in time before an attack occurs than the costs involved can be enormous. For example, the loss of production and sales and the cost to clean the incident up can be phenomenal.
The best way to avoid problems when a security threat/bug is issued from Microsoft on the first Tuesday of each month is to use an automated patch management solution. It also saves network bandwidth and enable patches to be deployed from a remote source. Several software developers have integrated patch automation technology developed by Shavlik, for example, including Microsoft, NetIQ, Symantec, and BMC.
One user of this technology is Vetco Gray, which supplies systems, products and services to the oil and gas industry. Like many other companies, it was attacked by the Sasser worm and several variants of Beagle, forcing it to think about the security of its UK network.
Know your vermin
Beagle is a mass-mailing worm which primarily spreads through email and is independent of the victim's email client. The worm also creates a security hole, known as a backdoor, on the victim's machine. This backdoor component will allow a remote attacker to penetrate the machine.
Sasser is an Internet worm which spreads through the MS04-011 (Lsass.exe) vulnerability. It affects machines running Windows XP or Windows 2000, and which have not been patched against vulnerability or are connected to the Internet without a firewall
Senior IT applications specialist Brian Sandison is responsible for the fileservers and all network software within Vetco Gray's Aberdeen office. He says automated patch management is now essential: "A product which allows me to decide which patches are more critical than others allows me to stay in control but taking away the time-consuming of patching manually is extremely important to Vetco Gray."
Steve Francis, the database assistant administrator responsible for patching 350 servers within German industrial group E.ON, agrees. "Patch management can be an extremely time-consuming task and we needed to ensure that our servers were protected," he says. "In addition to Microsoft SUS, the automated patch management solution from Shavlik double checks that patches are pushed out and applied successfully."
Eric Schultze is chief security architect at US-based Shavlik Technologies. His company worked with Microsoft to build software such as Network Access Protection (NAP), Microsoft Personal Security Advisor (MPSA) and HFNetChk, the patch management solution used by millions of security administrators worldwide. It also developed Microsoft MBSA, a tool which can identify common security configuration errors on local and remote Windows 2000, Windows XP and Windows Server 2003 server-based systems. Shavlik is exhibiting at Infosecurity Europe on the 26-28th April 2005 in the Grand Hall, Olympia.
Do you trust software patches enough to deploy them automatically? If you're using this technology already - or if you've rejected it - let us know in our forum.