Orchestrate vulnerability management: threats emanating from inside the perimeter are expected to increase

Communications News, August, 2006 by Chris Andrew

For the past five years, businesses have been plagued by the threat of worm attacks such as Blaster, Slammer, CodeRed, Welchia and others. In 2005, more than 5,000 new security vulnerabilities were discovered in software across the industry. The emergence of the Zotob worm, which exploited the MS05-039 vulnerability in Windows 2000, left thousands of servers on the Internet open to attacks by hackers. As the interval between discovering and exploiting a vulnerability continues to shrink, zero-day threats have rapidly moved to the forefront of business IT security risk.

In 2006, new threats facing businesses will most likely come from inside perimeter defenses. Protection that used to be reserved strictly for the Internet-facing side of a business must now be considered for use within a corporation.

Of all the potential ways to break into systems, the failure to apply security patches and configure security settings correctly is probably the most systemic issue facing many IT organizations today. Timely patching of security issues is generally recognized as critical to maintaining the operational availability, confidentiality and integrity of IT systems.

With organizations averaging 30 days to patch networks last year, the process of securing all systems across the enterprise is still too slow and labor intensive. As a result, one recent industry report cited unpatched computers as representing IT's most pervasive security issue, keeping threats that target software vulnerabilities at the top of the list.

The problem is that patch and vulnerability management is an ad hoc affair for most businesses, where companies scramble to update their systems upon hearing that an exploit is in the wild.

Manual patching of every workstation and server within an enterprise, however, is becoming ineffective, as the number of patches that need to be installed continues to increase and as hackers continue to develop exploit code more rapidly. While patching and vulnerability assessment may seem like an arduous task, consistent mitigation of organizational vulnerabilities can be achieved through a thoroughly tested and integrated patching process that makes efficient use of automation.

Applying patches carries a degree of risk of its own. A patch that has not been effectively tested in a particular network environment could create a disruption within business systems and services. One of the biggest mistakes that larger organizations and agencies make with patch management is to force the deployment of security patches without properly understanding which devices are vulnerable or without testing the patches in their specific environment.

To get a handle on vulnerability management, organizations should first establish an in-depth study of the inventory of every computer system within the network to prioritize the patching process. Depending on the criticality of each system, patches should be deployed in a staged process.

Once a company knows what systems it has and where these are situated within the network, it can then check for the vulnerability status of each piece of hardware and software. Only then will organizations be able to prioritize the deployment of patches across the network and address those systems that are most critical first before patching non-critical systems.

The best-practice approach is to adopt a test-then-deploy cycle that is executed against increasing large or critical sets of servers or desktops. All patches should be tested on a representative group of systems to determine the behavior and overall health of every system within the network. Staged deployments are essential, based on the user-defined groups vs. other technologies that require an "all or nothing" approach. Enterprise patch-management tools will be ineffective if deployed to an environment where every IT device is configured uniquely, because the side effects of the various patches will be unknown.

An enterprise automated patch-management solution can enable IT administrators to effectively enforce and deploy patches across the entire network. Furthermore, a patch-management solution that centralizes and automates the tasks of distribution and application allows IT administrators to make patching an integral part of the overall security-management strategy. Providing a unified view for managing all products in an integrated security console will enhance administrative productivity for IT teams, as well as lessening the overall complexity and costs associated with the task of vulnerability remediation.

Finally, any good security system should employ checks and balances. As attackers become more stealthy, using rootkit techniques and blended attacks to gain access to business systems, carefully inspecting information on a system and validating that information against results of an external network scanner or penetration testing utility will be necessary.

If all systems being used to measure the security of a system agree that the system is fully secure, all is well. On the other hand, if there is any type of discrepancy, that could raise the red flag for possible malware activity within the corporate network.