The latest monthly bulletin from Microsoft warning users of a newly identified vulnerability in the Windows operating system would have affected many companies. Users were urged to apply a patch to protect against attack, but by the time the vulnerability was identified, determined hackers could already have done their worst.
A sustained risk management process would provide a more effective way of handling these threats.
Consider a firm with 5,000 servers. IT management should know the configuration of those machines, especially what has been patched and to what level. NetIQ estimates that eight out of 10 UK companies do not have the processes in place to report on this accurately. The result is a knee-jerk reaction to patch the system at the appearance of each worm or virus.
Risk assessment begins with understanding the configuration of hardware, software and data assets, and critically grading the level of patch protection afforded to business-critical and support resources.
Once these common vulnerabilities have been identified, firms can make system corrections - such as amending workforce access rights and privileges and installing patches - and can set a server baseline as a benchmark for testing and alert purposes.
This begins the cyclical practice of closed-loop compliance involving the definition of these baselines, using reporting tools to audit against them and looking at how people and process changes can bring systems into line.
Although plenty of lip service has been paid to managing these common vulnerabilities and exposures, the escalating cost of patch projects necessitates a better defence.
Deploying patches often requires hundreds of man-hours, and when a virus slips through corporate security, the level of service that IT can provide the business is seriously affected. Employee productivity is eroded, and partnerships, sales and reputations are put at risk. IT needs to divert valuable resources to fix the problem, leading to backlogs and delays in completing projects.
Typically organisations wait for a worm, virus or hacking attack to exploit these holes and then scramble to plug them. W32/Blaster last summer, for example, infected hundreds of thousands of computers around the world within a few days by exploiting a well-known vulnerability. The patch to prevent Blaster was available for almost a month before the worm was released.
What is needed is a pre-emptive process involving the identification and management of system vulnerabilities by implementing a structured management process.
Inevitably, software vulnerabilities will always occur. Businesses need to identify and correct system risks constantly to prevent shutdowns or poor network performance. That way, a process is in place to mitigate risk when the next vulnerability appears.
Luke Brown is director of systems and security management at NetIQ