PATCH WORK SECURITY
Whether it’s an opening in a fence or a security guard away from his post, physical security “holes” tend to be visible and quickly fillable. The same cannot always be said, however, about vulnerabilities in software code — as organizations ranging from universities to nuclear power plants can unhappily attest.
To help keep attackers from burrowing their way into corporate and government computer systems, to whatever extent possible, the information security industry produces an arsenal of weaponry referred to collectively as patch management tools.
Software makers spend a lot of time testing their products before releasing them on the market. But still, flaws can slip through the cracks, leaving the products easy prey for hackers, experts say.
“Regardless of what you load onto a computer, you will have criminals and other hackers trying to get in,” says Ezra Duong-Van, director of field marketing at BindView Corp., Houston, Texas. “Sometimes people from inside an organization are poking around.”
The software products at risk include operating systems themselves — such as Microsoft Windows or Linux — as well as application software such as word processors and spreadsheets, and even software that runs on bigger computers known as servers.
After a vulnerability is uncovered, the software vendor usually puts together a downloadable software patch to correct it. But even then, these pieces of corrective software can miss their mark for a variety of reasons.
Typically, patches are downloaded by the information security department from a central location on to PCs and/or servers. Patches are also used to add new features unrelated to security. “You really do not want to have to trust the thousands of end-users in an organization to keep their software up-to-date by themselves,” says Martin Buckley, a director of product management at Novell Inc., Orem, Utah.
But until relatively recently, many organizations bided their time until problems literally “hit home” before installing the proper security patches. “Typically, people would only apply a patch after the software was already broken. But users have absolutely become much more ‘patch savvy’ over the past two or three years,” Duong-Van says.
A favorite weapon of hackers is the software “worm,” a special type of computer virus adept at slithering past Internet firewalls and other enterprise security mechanisms.
A prime example is “Slammer” a.k.a. “Sapphire,” a worm that takes advantage of an indexing vulnerability in Microsoft Corp.’s SQL Server database server. Microsoft released a patch for this critter in mid-2002, yet many information security administrators neglected to install the fix.
Slammer started to infect computer database servers on January 25, 2002. Eventually, at least 75,000 servers were impacted, causing network outages that resulted in canceled airline flights, interference with elections and failures of bank ATM machines.
In one incident, Slammer disabled a safety monitoring system for nearly five hours at Ohio’s Davis-Besse nuclear power plant. According to reports filed with the Nuclear Regulatory Commission (NRC), plant personnel said they had not installed Microsoft’s patch because they did not know about it.
Slammer also struck universities particularly hard. A number of schools were forced to shut down network access entirely, including the University of Florida, Cornell University and Georgia State University, to name a few.
Many experts attribute the increase in patch awareness to major outbreaks of Slammer and other worms, such as “Nimba” and “Code Red.”
“Worms can be stopped by patches only,” says Chris Andrew, vice president of product management at PatchLink Corp., Scottsdale, Ari.
Patch awareness makes sound business sense, too, experts say. “For some organizations, security did not used to be that much of a priority,” says Sam Curry, vice president for eTrust brand security products at Computer Associates, Islandia, N.Y. “But today, everyone’s under a lot of pressure for deployment.”
Specific drivers range from regulatory compliance to citizen concerns about information privacy and corporate worries about damage to brand image, Curry says.
By now, awareness has heightened to the point that some organizations are even looking at patch management issues as a criterion in choosing an operating system.
Some argue that the choice of operating system does not really matter — all software has vulnerabilities, and that any software that is widely used will ultimately become a target for hackers, they say. But others see distinct advantages to either the Windows or Linux operating system, for example.
In a recent study, researchers interviewed 90 large organizations that are using both these operating systems. “We found that Windows is significantly cheaper to patch on a per-incident basis,” says Theo Forbath, chief strategist for global product strategy and architecture at Wipro, Mountain View, Calif.
Forbath cites factors such as Microsoft’s huge installed base, as well as widespread availability of automated patch management offerings such as Microsoft’s Windows Update.
On the other hand, Buckley sees greater potential over the long haul for Linux, an “open source” alternative now getting increasing use on both servers and PC desktops. Linux, Buckley says, is characterized by collaborative development among a large community of independent vendors, making it much more likely that holes will be caught before they make it into software releases. Further, unlike Windows, Linux lets companies install “only the pieces of software they need,” thereby streamlining security management
Meanwhile, commercial vendors such as Microsoft and Oracle Corp. are helping out by making new patches available on a more predictable basis. But even when enterprise administrators install patches on time, they are not necessarily “totally” protected.
For instance, at RKA Petroleum Companies in Romulous, Mich., a server crashed because an installed patch was not needed by the machine. John Hittleman, vice president of Information Services at RKA, has publicly claimed that the patch was incorrectly prescribed by a Microsoft representative.
Because it was too small for the machine, the patch started to delete files. Software services failed, and people were unable to access RKA’s network. Ultimately, RKA needed to reload all the software on the server from scratch, Hittleman says. Moreover, due to the intricacies of software code, installing a patch for one operating system or application can cause unfortunate consequences for other applications, even making them inoperable in some cases.
Fortunately, information security vendors have come to the rescue with a variety of products and services that, when properly used, can help ease patch management for administrators. Software patches themselves are available not just from vendors who make the affected software products, but also from patch specialists such as Ecora Software Corp., Portsmouth, N.H.
Another category in patch management is made up of software used to “scan” an organization’s systems from the outside to pinpoint the holes. Vendors in this space include Qualis Corp., Huntsville, Ala., and eEye, Aliso Viejo, Calif., for instance.
PatchLink’s family of security patch, vulnerability and compliance management software includes Scanner Integration Module, a product designed to import results from multiple scanners, giving administrators a good idea of the vulnerabilities that outsiders can view.
Another product from the company, PatchLink Update, is the solution that RKA Petroleum ultimately turned to for solving its patch problems.
PatchLink’s products already work across multiple operating systems, including Unix and mainframe systems in addition to Windows and Linux. The company is currently extending its environment to support mobile operating systems such as Windows Mobile, Symbian and RIM, Andrew says. PatchLink also specializes in testing patches within its own labs for compatibility with application software.
BindView, on the other hand, supports patch management with its multi-system software products for vulnerability management, configuration management, compliance monitoring and configuration management.
Novell’s ZenWorks and Computer Associates’ UniCenter are multifunctional product lineups that also contain patch management capabilities. Both software giants also operate far-reaching consulting services that deal with patch management, along with innumerable other security and systems management issues.