Cybereye: Here's how to get breathing room in the worm fight

William Jackson

Patch Tuesday has become something of a ritual. On the second Tuesday of each month, Microsoft Corp. announces a new set of vulnerabilities and releases the patches to fix them. That is the starting gun for a sprint that pits hackers against systems administrators.

All too often the hackers win, putting an exploit into circulation before the administrators can patch their systems.

The most recent example of this was the Zotob worm, variants of which attacked Microsoft's Plug and Play service within days of the vulnerability's announcement. This outbreak probably got more attention than it otherwise would have because early victims included CNN, which immediately began reporting its own woes. Unfortunately, it also produced some bad advice.

'Anyone with a solid, timely approach to security discipline need not worry,' Carmi Levy, an analyst with Info-Tech Research Group of London, Ontario, said in a written statement. 'If everyone applied the latest service packs and security patches to their operating systems, this virus wouldn't be making headlines.'

Not necessarily. As Levy points out, 'it no longer takes weeks to develop a virus that can take down an entire network.' However, it can take weeks for an organization with a solid, timely approach to security to effectively patch its systems. Pushing patches too quickly and without adequate testing is not solid security practice.

Rock, meet hard place

Administrators are caught between Scylla and Charybdis, trying to get patches out in time while ensuring they do not do more harm than good.

'I would expect that next month a lot of administrators will be under orders to immediately patch everybody,' said Dave Perry, global director of education for Trend Micro Inc. of Cupertino, Calif. 'And I think we will see really fast if there are any bugs in the patches.'

As IT systems approach organic complexity, even effective, bug-free patches can have unanticipated effects on hardware-software combinations. This means that Microsoft cannot effectively test its patches against your configurations. You have to do it yourself.

'No two machines are exactly alike,' Perry said. 'How do you know you can treat machine A the same way as machine B?'

Patching cycles can also be affected by IT systems' missions. Some systems just cannot be patched and rebooted at a moment's notice because they might be in the middle of something important to government.

This does not mean that vulnerable machines are doomed. Patch management is only one aspect, although a vital one, of vulnerability management. There are plenty of ways to reduce your exposure prior to patching. Properly configured firewalls, intrusion detection and prevention systems, and antivirus programs can go a long way.

Your firewalls should be able to block many worms by shutting down unneeded ports. Some ports, such as 80 and 88 for Web traffic and 21 for File Transfer Protocol, you'll have to leave open. But do you really need to have port 445, a printer and file sharing port, open to the Internet? If you don't need it, close it.

There are products that watch for anomalous or downright malicious behavior and block it, or at least notify you of it. And by controlling outbound as well as inbound traffic, you can often spot an infection early and stop it from spreading.

Yes, patching systems quickly is important, but so is an appropriate level of caution, and multiple levels of defense can help buy you the time you need. It's a tough job, but hey, that's why you're pulling down the big bucks, right?

William Jackson is a Government Computer News senior writer. E-mail him at wjackson@postnewsweektech.com.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above