The recent rapid spread of the Conficker worm has not only highlighted the need to apply security patches quickly, but also revealed how poorly many organisations handle software patching.
While most home PCs are automatically kept safe and up to date, often without their users even being aware of the fact, it was corporate systems that were badly hit by the Conficker worm.
Although Microsoft issued an unscheduled security bulletin, MS08-067, last October and marked it as 'critical' on all Windows-versions except Vista and 2008, vulnerability management vendor Qualys Inc. estimated that 30% of Windows machines were still unpatched when Conficker started to make an impact two months ago. The number of infected machines was variously estimated at anywhere between 8 and 15 million, although that number is thought to have fallen after the huge publicity about the infection.
But the impact still raises the question of why companies fail to take patching seriously. Remember that Microsoft's Patch Tuesday and most of the patch management industry only began after the phenomenon of worms such as Slammer and Blaster earlier this decade. Before the introduction of the fast-spreading malware, it was commonplace for systems to remain unpatched for months or years, and patching was a haphazard and unstructured process.
Despite those earlier events, however, many companies still choose not to patch, according to Jay Abbott, a senior manager at PricewaterhouseCoopers (PWC), who works with a wide variety of organisations. According to Abbott, businesses faced with the choice of taking down systems and applying patches that may cause problems will often avoid patching altogether. Instead they will try to find other ways of limiting the damage of a virus, such as installing extra firewalls and intrusion prevention systems.
"A lot of them say they can't risk down-time on a mission-critical system, so they don't patch," he said.
Senior management should be made to understand the risks of not patching, he said, rather than merely focusing on the damage that patching might cause. "You need to couch the argument in terms of risk management. In that way you can have a proper conversation with the business and justify why things need to occur."
"If you decide not to patch, then the level of compensating controls you need to put in [place] are significant. You need real belt-and-braces protection at the network and host layer, and a defined perimeter with limited connectivity to the outside world."
Chris Schwartzbauer, head of marketing for patch management company Shavlik Technologies LLC, agrees that patching can be hard. "Nobody likes to put software on servers. Nobody wants to fix something they don't believe is broken. Systems are fragile, and they don't want to touch them," he said.
There are other problems, too. Companies may have altered their applications, making them difficult to patch safely. "If they have a couple of hundred servers, they will probably have made some application modifications. Patching is impossible because it's no longer the native application."
Poor asset management can also make it hard for organizations to know exactly what applications are running and on what hardware. "If [companies] are growing fast, or they have taken over another company, people may not take the time to find out what version of Internet Explorer or IIS is running on the machine. If they don't know it's there, they can't patch it," Schwartzbauer said. "The proliferation of laptops coming on and off the network makes it even harder to do asset inventory and discovery. And with virtual machines and virtual applications, you have even more trouble. Offline VMs are very difficult to detect."
The way to reduce the risks associated with patching is by implementing proper change management procedures, he said. "Change management capability is essential so you know the before and after state of the systems. If organisations are confident that they can quickly restore a machine to its functional state, then they'd be more likely to patch it."
But some systems, such as servers running Windows NT4, will be beyond patching. Microsoft ceased supporting the operating system in December 2004, and as Abbott points out, there are nearly 200 unpatched vulnerabilities in NT4. "We still see the odd NT4 server in companies. We always advise people to phase them out as quickly as possible," he said.
Abbott added that while IT and security are still regarded in many businesses as a burden and a cost centre, it will always be hard to argue for regular patching. "More often than not, companies will have to get burned before they actually get the concept of the value of security," he said.