Patch 'em up, or risk damaging the network
According to Amrit Williams, research director of infosecurity and risk, Gartner, security threats today is not about zero-day attacks but about hackers who take advantage of wrongly configured systems.
Ninety percent of all external security threats are the result of wrongly configured or administered software and systems, said the market analyst. Administrators, for instance, who forget to disable default passwords or unnecessary services, or enable ports that are unused or allow file sharing in insecure environments.
"It is not just that companies enable services without understanding the security implications, but they also do not disable or limit services the device utilizes and in many cases, are not necessary," he said.
Gartner also predicts that 30 percent of attacks in 2006 will occur within four weeks of the announcement of the vulnerability, up from 15 percent in 2003. Williams noted that it took hackers only 25 days, between disclosure and exploit, to come up with the Blaster worm in 2003. In contrast, it took 331 days after disclosure before hackers came up with the Nimda worm in 2001.
Jason Holis, Symantec's Southeast Asia regional sales manager, said that the diminishing time gap--between disclosure and exploit--puts significant pressure on IT administrators to quickly identify vulnerable systems, test new patches and install them as quickly as possible.
Apart from not using software that have frequent security vulnerabilities, Williams said the best form of protection against Internet security attacks is to increase the resources that businesses apply to ensure all software are safely configured and patched.
In their haste, some businesses have even implemented patches before testing them out on their systems, he said. Williams stressed that this could lead to disastrous results, and noted that untested patches have been known to "break" corporate networks. For instance, applications from third-party vendors, or those highly customized and developed in-house, are often not pre-tested by software vendors to work with a patch before it is released.
According to Tom Galantomos, the Singapore-based director of strategic alliances at Altiris, an enterprise may have hundreds, if not thousands, of applications that are interdependent on the same registry settings and .dll (library extensions) files. The vendor offers products that cater to a company's data lifecycle, including server management, asset management and security management software suites.
With this mishmash of software applications, the possibility of security patches breaking corporate networks is high and poses a real problem, he said.
To ensure this does not happen, organizations should conduct a thorough test in a lab environment, Galantomos suggested. They could also perform a "pre-flight test" on patches before rolling them out to verify that there are no hidden software conflicts, he said. "As always, it is a best practice to have a solid (data) backup and recovery option in pace," he added.
Holis noted that patches typically take about 3 to 5 minutes to run, where testing methodologies vary from company to company. Depending on the type of patch, the complexity of the company's subsystems and what the patch impacts, he estimates that it generally takes no more than a day to test a patch.
Williams noted that while enterprises can get better at patching, they can never move as fast as attackers. He said that organizations should learn to prioritize. He estimates that only 30 percent of reported vulnerabilities have corresponding exploits.
"Just because there's a vulnerability it doesn't always mean you have to apply a patch immediately," he said, noting that companies should identify and pay closer attention to patches that affect mission-critical systems.
"Most organizations are generally more picky with patches for servers and networks, and more willing to deploy those for desktops more quickly," he said.