Patch Management
2003 has been the year of the Worm – worms such as Blaster, Slammer, Sobig (various forms) and Code Red, which can all be traced directly to exploitation of unpatched vulnerabilities. And the cost of these worms?.. Blaster worm costs are estimated to be at least $525 million, and Sobig.f damages are estimated to be from $500 million to more than one billion dollars. The new malicious code being released into the wild has focused on exploited known problems in unpatched systems. In fact, when you consider most attacks, they focus on finding and then exploiting vulnerabilities in code – look at all the scanners like NMAP and Nessus – focused on finding what systems are running and exploiting weaknesses. The latest worms merely automate this task, and focus upon a single exploit. We believe that 2004 will see a lot more activity in this space from Hackers. We believe the time taken from a vulnerability being announced, to a worm exploiting it, will reduce significantly. This is placing the Network Manager and his team under increased pressure to ensure ALL systems are patched to the correct level.
This requires a lot of management. The first thing for anyone looking to manage their systems is to baseline what they have on their network. Too often people only focus on their Windows systems. But it is not just Microsoft that suffer from vulnerabilities – think how many patches (including security patches) other vendors like Cisco release over the course of the year, and Apache is still the most popular web server on the Internet (nearly 70% according to Netcraft’s December 2003 Survey). This baseline needs to include all pertinent information – what hardware and what software is loaded. It is important to know that you will not try and patch a Windows NT system with a Windows 2003 patch. You need to establish a minimum patch level for all the systems on your network. This minimum will be based upon the O/S being run – and software running on top of it. Not all patches released by a vendor will be relevant to everyone. Therefore the baseline will be different for different people.
Before rushing out and patching every system, when a new patch is released, a Network Manager must understand the patch and what it is doing (it may not be relevant to you). It also needs to be tested on a test network running the business applications prior to be rolled out. The roll out of a patch could compromise your business if it breaks the business software and stops everyone from working. It would not be the first time-¦
All patch management needs a full audit trail, which must include whether an installation has been successful. How many times have people been caught out when they thought they had updated software only to find the install did not complete.
The timescale issues will become more pressing. Network managers will need to be aware of what patches are being released, and will need to be on several mailing lists researching information pertinent to their environment. This research needs what commodity that is in short supply – time.
Once you have identified the need for a patch, deploying them can be very difficult – the first question is; do you have the manpower? If so, when do you deploy? If you are going to automate this process – and the industry is going this way – can you cope with cross platform patch management form a single tool? Can you delegate responsibility to other people within the team, or to other office locations?
The need for tools to deal with this issue has been highlighted. There are a number of vendors now appearing in this space. Before purchasing any tool it is important for the user to test it. Test it in a real environment, test across all the systems that you run. Think a little further than just patching Microsoft software – there will be worms for other systems and hackers exploit known holes in other O/S and applications. Make sure you receive full audit trails and reports.
The one thing that is for sure, is that the correct tool will provide businesses with a good Return On Investment. The cost of a patching all your system is high. The chances are you will need to consider, and probably patch systems every week. The cost of not patching them may well be even higher.