Mind the gaps

Just in case security professionals thought that their job was getting easier comes news that it patently isn't.

Just in case security professionals thought that their job was getting easier comes news that it patently isn't.

Computer Weekly reports that, according to a recent survey commissioned by anti-virus company McAfee, the number of new viruses rated high or medium risk rose 130% in 2004 compared with 2003. And this is after three consecutive years of decline.

Almost certainly driving this increase is the seemingly ever-increasing desire by hackers to exploit the vulnerabilities in the standard IT systems used by companies such as yours. Some industry experts believe that known vulnerabilities in commercial software have more than doubled in the last year and that this trend will surely escalate. So be prepared this year for the usual and seemingly interminable cycle of constantly battling with serious security vulnerabilities and finding patches for these holes.

Yet why should this situation exist? Are suppliers really selling systems full of critical vulnerabilities? More importantly, what can you do to minimise the risk to your organisation and what should your patching strategy be?

Exploiting systems has never been so easier. With weakened perimeters multiple entry points and with wireless and VPN connectivity points, there are increased ways for both authorised and non-authorised users to gain access.

It is also almost inevitable that your business is asking you to be more effective with fewer financial and human resources, and that you will have less time to react to attacks that will have more consequences on the general business.

Why the latest software programs are vulnerable to exploits almost certainly comes down to the fact that the vast majority of systems— especially email and internet programs—were designed for functionality and operational concerns; security and privacy came much later in development leading to what some professionals call “air gaps” in systems.

These are the very gaps that expose your systems and your company.
What this means in practice, says Ross Patel, director of intelligence at the SANS Institute, is that systems are never going to be perfect. “Systems are developed with the best of intentions, with the best of capabilities. Perfect codes and perfect systems are a bit of a Holy Grail. You can only develop code that can maintain its integrity based upon the types of threat that you know about, by and large you're protecting against known threats.”

But, imperfections or not, managing patches for systems' vulnerabilities probably has never been as important. But there are a lot of companies who don’t realise that they should be doing it or they realise that they need to be doing it and do it quite badly. Also a significant number feel that they have done enough to lock down networks.

Adrian Ionel, EMEA VP & General Manager Qualys adds that there is absolutely no place for such complacency. “A secured network today is not a secured network tomorrow and to reduce the threats, organisations must reduce the window of exposure and implement an on-going process. 

"The main challenge is to define business risks…organisations have to focus on the internal network with the objective of shortening the half-life of critical vulnerabilities. You have to be proactive, get senior management buy-in, know the network and prioritise." Like Patel he believes that absolute security is impossible.
Patch management is not as simple as employing a tool and watching it work. It’s about knowing what technology to deploy, where in your network, what to prioritise and how to define spheres of responsibility and control. You can, for example, you should bank on software companies publishing patches fairly regularly so your organisation should have a standing policy on what to do once they are issued.

And the clock is ticking; the patches need to be effectively implemented in the shortest time possible. As an example, Blaster came from the reverse engineering of a Microsoft patch: in the space of only around 26 hours.

The BCS offers some good, plain advice on what to do with a patch management strategy. Says Ross Patel: “Patch management [should be] an integral part of management of your computation assets.

"What we recommend is some good old fashioned common sense to implement patch management as part of your infrastructure management process; it needs to be part of everything from the deployment of new systems, to the cradle to grave management of all of your systems and infrastructure.”
In itself, patch management won’t make any business secure, after all as both Ionel and Patel point out, systems are imperfect. Patch management has to be come part of your day to day network tasks and also trying to patch everything is definitely to be avoided. You need to prioritise what needs patching and in what order, and to see patch management from within the context of a business continuity plan.

Patel sums it up elegantly: “patch management is not a silver bullet; it’s a crucial part to ensure your systems are running safely.” One of the few guarantees is that you’ll likely be doing a lot of patching over the next twelve months. Your business will depend on you to get it right.

Read more on Hackers and cybercrime prevention