Beating Hackers to the Patch

It’s a good thing the Blaster worm and its variations weren’t really insidious. Had it devastated hard drives, it could have inflicted billions of dollars in lost productivity and other damages globally rather than just significantly annoying Microsoft and IT managers. But Blaster and the Sobig variations are a wake-up call. Cyber attacks are growing rapidly and the potential for them to quickly exploit security holes and wreak havoc is mounting.

The number of IT security incidents jumped from 52,658 in 2001 to 82,094 in 2002, according to the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. All indications suggest that these numbers will continue to grow.

Microsoft and its customers are dueling with hackers in a struggle that resembles the constant thrust and parry between radar detector manufacturers and police with lasers and radar devices. As soon as Microsoft publicizes a security hole, the race is on for network administrators to shore up their defenses before an attack hits. Instead of a $150 speeding ticket, though, millions of dollars could be at stake.

Network administrators facing a flood of patches streaming out of Microsoft need to act fast to safeguard vital corporate information. They should set up plans for quickly determining what patches apply to their systems and how to quickly roll out those patches. They should also learn how the software they purchased for rolling out patches will perform under tight deadlines. Will the software effectively deploy the patches to PCs, servers, laptops and PDAs in time to prevent a successful break-in? Unfortunately for many organizations, the patch deployment software they bought is too complex and labor-intensive to react fast enough. 

Bullets whizzing over the Alamo

There’s no question that most network administrators are overburdened. Not only are they responsible for safeguarding corporate networks, but they also must deploy new software, roll out upgrades, ensure that everyone has the correct software installed, troubleshoot problems and manage special projects for improving overall performance.

Patch management (and the time it requires) is perhaps the least understood of these tasks. Corporate executives know security is important, but they don’t realize or often care how much time it takes for an administrator to package and test a patch before sending it out. However, if an administrator stops deploying a new application to deploy a patch, executives will only notice that the new application still isn’t installed – not the fact that the patch may have saved the company from crippling data loss.

Add that frustration to the constant barrage of patches sent out of Redmond, Wash., and it’s no wonder that many administrators feel like they’re under fire. For many organizations, patch management and ensuring security could be a full-time job.

Chief among an administrator’s initial concerns when Microsoft announces a security problem is determining what patches really apply to the organization. Because Microsoft typically issues more than 70 patches a week, administrators need to make quick decisions about the nature of the security hole announced, whether and how much of a risk exists based on current software and hardware configurations, and what the patch will do once deployed. The information about patches on Microsoft’s security and privacy Web page is often cryptic, leaving administrators to wonder just how severe or imminent the threat is. Without enough helpful information, many administrators simply avoid the patch. Researching whether the patch will crash networks or open new security holes also factors into the decision.

Unfortunately, administrators don’t have much time to make an informed decision. If it takes them a couple of days to have a software engineer write the custom code to package and test a new patch – a typical timeframe for many patch management solutions – they might as well invite hackers to ravage their files. Here’s why. When Microsoft discovers a security hole, it announces the problem on its security and privacy Web pages and offers a hot fix. But that announcement acts like a starting gun to would-be hackers trying to figure out how to get in. Some industry gurus estimate that as much as 80 percent of Microsoft’s customer base won’t download the patch because administrators either don’t think it will affect them, or they don’t have the resources. So the sooner hackers launch the virus, the more damage they can inflict. Administrators need to act fast to safeguard their networks.

Circling the wagons

Rapid, successful, first-time patch deployment is key to staying ahead of hackers. However, rapid deployment depends upon several factors, including the ability to prevent users from downloading bad files, an accurate, near-real-time understanding of system hardware and software configurations, a quick evaluation of which patches are necessary, and patch management tools that automate packaging and delivery while providing high deployment success rates.

Here are a few tips that will help administrators deploy the right patches quickly and efficiently:

  1. Lock down desktops and devices to prevent bad file downloads. Administrators can maximize damage control at the outset by delegating permissions to different users to prevent them from downloading files that could launch worms, viruses and other attacks. Based on responsibility and experience, administrators can use Microsoft tools to control the ability of users to change their software and hardware configurations.
  2. Formulate a plan. Administrators need to have a plan in place to react quickly to patch announcements and shut the door on hackers. They need to map out a series of steps for quickly evaluating the patch and its impact, and delegating responsibility for rolling out the patch quickly and efficiently.
  3. Know your system. Knowing the most current software and hardware configurations and user profiles up front significantly helps administrators determine which patches apply to them. This includes servers, PCs, laptops, portable devices, operating systems, applications, etc. If Microsoft issues a hot fix for a scanner driver and a company only has one barely-used scanner, the administrator may determine that patch is unnecessary.
  4. Carefully read the patch alerts. The majority of the thousands of patches Microsoft issues every year won’t apply to most environments. Administrators should read the alerts carefully to make sure their environments have the functionality the patch covers. This can save a lot of time and wasted effort. Conversely, administrators should be attuned to patches that close significant holes.
  5. Automate patch packaging. Microsoft uses the same command language for creating packages to deploy hot fixes. Administrators should automate the packaging process by using software that allows them to cut and paste the new hot fixes into the standard Microsoft package format. Doing so cuts packaging time from days to minutes, giving administrators a much better chance of plugging holes before an attack.
  6. Pull vs. push the patches. Many of today’s patch management solutions force administrators to push patches out to clients based on inventory lists that could take days to compile prior to rolling out the patch. Instead, administrators should package the patch and put it on the corporate LAN where clients that need the patch can install it automatically. Administrators can give the patch deployment software auto-install permissions to target only the clients that don’t have a specific registry key that indicates the need for the patch. Setting up the clients to automatically and seamlessly determine whether or not they need the patch and then pull it to them is much more efficient than pushing the patch out it, and it provides a much higher deployment success rate.
  7. Put out fires quickly. Sometimes simply having the patch on hand isn’t enough. If a virus or worm gets in before a patch is fully deployed, time becomes even more critical in minimizing damage. Administrators can help themselves with software that quickly identifies if a virus has already broken through, hunts down the source and destroys it.

Microsoft is playing a high-stakes game of cat and mouse with hackers, and the giant software maker’s customers are the ones with the most to lose. Network administrators are in a race with hackers, and only by anticipating attacks and reacting quickly will they win. By planning ahead, carefully scanning patch alerts for relevance, knowing existing software and hardware configurations and automating patch roll out, they can fill security holes before worms, viruses and other attacks can do any damage.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred Software-based Firewall?