Worms inspire VA's in-house patch effort
'We learned that the antivirus side of our house was in good working order, but the patch management side is horrendous.' <>
'Department of Veterans Affairs' Bruce Brody
The Veterans Affairs Department will begin an aggressive in-house software-patching program. Other organizations'the White House and Federal Aviation Administration among them'are also looking at setting up their own patching operations.
The need for the patch system became apparent during the recent waves of worms that swamped the Internet, said Bruce Brody, associate deputy assistant secretary for cyber and information security, speaking at a recent Washington security conference sponsored by Unisys Corp.
'We did very well in the first round of worm outbreaks' last month, Brody said, but 'we learned that the antivirus side of our house was in good working order, but the patch management side is horrendous.'
Microsoft Corp. on July 16 released a patch for a critical vulnerability in the Remote Procedure Call function of its Windows operating systems. But the MSBlaster worm that appeared three weeks later, and subsequent variants, found plenty of unprotected machines.
'We got hit pretty hard,' Brody said. 'All the unpatched systems really caused us problems. And we had put out the patch as early as July 16.'Time is of the essence
Installing patches in a timely manner has emerged as one of the biggest problems for IT staffs, said Michael F. Brown, FAA's director of information systems security.
Brown said FAA wants a patch management system that will automate fixes as much as possible while giving administrators the control they want over the process.
The White House's CIO office also is exploring patch management, said Jaime Borrego, its director of information assurance.
A free service offered by the Federal Computer Incident Response Center has been slow to gain traction, however. FedCIRC's Patch Authentication and Dissemination Capability alerts agencies to security patches applicable to their systems, tests the patches and provides a verified download link.
Neither FAA nor the White House currently uses the service, but 'we're taking a look at it,' Brown and Borrego both said. FAA has a few PADC licenses for tests and is also looking at in-house development, Brown said.
Neither man would comment about the effect of recent worms on their systems. But Borrego said the White House 'took additional steps besides patch management' to foil MSBlaster and its variants.
Antivirus programs can block known malicious code such as viruses and worms, but they do not close underlying security holes. That was why VA could protect itself from the original MSBlaster worm but fall victim to variants released later.
Brody said establishing a centralized antivirus program was one of his priorities in his two-year tenure as VA's chief security officer. VA's Central Incident Response Capability in Silver Spring, Md., manages McAfee VirusScan products from Network Associates Inc. of Santa Clara, Calif.
No antivirus product fully meets the department's requirements, however.
'The problems are primarily in management and reporting,' Brody said. Because of the department's centralized antivirus management, he said, 'we require a four-tier hierarchical structure' with the ability to gather data and push updates to departmental, regional, facility and desktop levels.
After evaluating available antivirus products, Brody said, 'I told the CEO of McAfee that his product sucked the least.'