Cyber Eye: Configuration control comes before patch management
When Microsoft Corp. last month had to yank a Windows XP security update, it underscored the importance'and the difficulty'of managing security patches.
Repeated studies have shown that most successful IT attacks exploit software weaknesses for which fixes are already available. Installing the patches should stop the attacks. But Microsoft's experience shows it isn't quite that simple.
The company on May 21 released an IP Security Protocol update to make virtual private network connections work better with Network Address Translation. The update also checked for possible network security breaches.
Two days later, Microsoft had to pull the IPSec patch off its Windows Update site after some of the XP patchers'estimated to range from a handful to 600,000'lost their network connectivity.
It happened because certain third-party software made IPSec think it was under attack. It responded in the only way it knew'by shutting off traffic. Microsoft has said it plans to reissue the patch after the third-party problems are resolved.
In the meantime, users can uninstall the update with Add/Remove Programs in the Control Panel.
Wise system administrators and security officers insist on testing patches and updates before installing them. But the multiple hardware-software configurations common in a large enterprise take lots of time to test, which leaves systems vulnerable in the interim. Many flaws persist not because of inattention, but because there isn't enough time to install the patches properly.
Administrators can do little about the quality of vendor patches. But Ken Silva, vice president of networks and information security at VeriSign Inc. of Mountain View, Calif., says there is a way to speed testing and verification.
'In a production environment, patch management is easy to handle,' he said. 'It's standardization, rigid standardization.'
On VeriSign's networks, he said, users have the software they need, but only that. Those in charge know exactly who has what. So, instead of testing a new patch against hundreds of configurations, they can test against a handful.
'We just pushed a patch out to 300 machines and didn't have a problem because all of them were built exactly the same,' Silva said. 'Change management is so important' in all aspects of administration.
Change management is no silver bullet for security, of course. Especially for those who work with aging networks, managing change adequately is itself a hard task. It requires the buy-in of everyone in an enterprise, including lowly end users with day-to-day control of desktop or notebook systems. But the benefits in security and efficiency make the effort worthwhile.