Return to Main Menu

Some Ideas on Winning the CyberSecurity War

There must be a fundamental shift from addressing vulnerabilities in a reactive mode to tackling them proactively. Cybersecurity is on everyone's mind. Threats run the gamut, from domestic to foreign, internal to external, from teenage hackers to sophisticated rings with malicious intentions. So, how should corporations protect themselves? And how do they implement security measures without breaking the bank?

Question 1: What Is the Weakest Link?

What is the biggest vulnerability in most security systems? Any good security expert will tell you that good security is mostly not about technology. It is about the people, processes, policies, and ways in which technology is used in an organization. People play a huge role in cybersecurity, and people are not infallible. Even the best make mistakes.

We know the basic human-error risks in security -- people don't always follow security policies, creating holes in the system. But perhaps the biggest weak spot of enterprise corporations and government agencies can be found inside the hundreds of thousands of servers that live within the data center . The number of required security patches and updates for all these servers and the applications that run on them is overwhelming.

According to the security group Attrition.org,

  1. Microsoft alone released over 100 security patches last year.

  2. Sun Microsystems currently has no less than 35 security patches just for Solaris 7.

  3. With new patches being released by software vendorson nearly a weekly basis, IT managers simply can't keep up.

  4. The result: Systems are more vulnerable than ever.

According to Attrition.org, in 2001, failing to responsibly patch computers led to 99% of the 5,823 website defacements last year, up 56% from the 3,746 websites defaced in 1999.

Question 2: How Big an Issue Is Failure to Patch Systems?

How big an issue has cybersecurity become? The number of software vulnerabilities has increased tremendously.

According to Computer Emergency Response Team, federally funded and operated by Carnegie Mellon University

  1. 2,437 vulnerabilities were reported in 2001

  2. 2,148 vulnerabilities were reported in the first half of 2002 alone.

  3. The increase in vulnerabilities translates into a significant increase in breaches.

  4. In all of 2001, CERT reported 52,658 breaches.

  5. In the first half of 2002, that number jumped to 43,136.

These breaches hit corporations' bottom lines. According to the Internet Security Alliance (www.isalliance.org), three attacks -- Code Red, SirCam and Love Bug -- cost corporations over $13 billion.

The problem is not that patches don't exist for vulnerabilities.

In fact, the Gartner Group predicts that 90% of cyberattacks will exploit known security flaws for which a patch is available or a solution known. Such was the case with the incidents last year -- corporations could have protected themselves if they had quickly and correctly applied existing patches to each of their systems.

Question 3: Why Is Patching Systems So Hard?

Corporations simply can't keep up with the increase in complexity, and the scale of systems being managed. The issue is not that technologies don't exist to address problems or that patches aren't there to solve vulnerabilities, but rather that you must apply the same solutions to a larger world.

That problem is magnified by the proliferation of IT across companies. Business needs require IT organizations to keep secure an ever-growing number of servers and applications.

Today's applications demand:

  1. More servers

    IT departments are running so many servers that sometimes they have no idea what they're all used for. Sometimes the only way they find out is by unplugging a server and seeing what goes down.

  2. More complex integration

    The "plumbing" underneath applications is more complex, forcing IT teams to tie together infrastructure products and their associated patches.

  3. More uptime

    Because external customers access applications, the need for 24x7 uptime has never been higher. A security breach doesn't just mean employees can't access the intranet; often it means you're on the front page of the Wall Street Journal, you lose revenue because customers can't access your site, or your brand is damaged because someone has stolen your customers' personal information .

Question 4: What's the Solution?

IT organizations are realizing that un-patched servers are their number one security threat. The damage from Code Red clearly opened their eyes. To solve this, there must be a fundamental shift from addressing vulnerabilities in a reactive mode to tackling them proactively. The solution isn't to throw more people at the problem to manually patch machines faster. Rather, companies must rethink the management of their entire architecture from the ground up.

To address these challenges successfully, IT organizations need two components to their approach.

  1. Blueprint for a Systematic, Recorded Approach

    IT needs detailed, up-to-date information about their servers:

    • Where is each server located?

    • What software and patches are installed on each server?

    • How is the software configured to work with the rest of the environment?

    No construction crew would build a house without a blueprint. The blueprint is an up-to-date model that allows people to compare the construction-in-progress ("what is") with the architect's vision ("what should be"). Most teams cobble together Excel spreadsheets, Visio diagrams, and Post-It notes to track what's been patched and what hasn't. An accurate blueprint of the environment is simply not available.

    The results? An environment that is difficult to troubleshoot and patch. A harried IT team always in fire-fighting mode. To solve this problem, IT desperately needs an up-to-date blueprint or model of the servers and the applications running on them.

    The blueprint must be detailed enough to describe the operationally relevant information about a server, such as:

    • What is the server's hardware configuration?

    • What operating system version is it running?

    • What software is installed on it?

    • How is each software package configured?

    • What patches are installed (or missing)?

    Furthermore, the model needs to update itself dynamically so administrators aren't forced to update the blueprint manually after they patch a particular server. This up-to-date blueprint keeps the entire IT organization on the same page.

  2. Automated Patch Management for Consistency

    IT needs an automated way to make quick, consistent changes across a large number of servers using the blueprint. IT departments are bombarded with hundreds of fixes for hundreds of different software packages installed somewhere in their enterprise.

    Without an automated system, an IT administrator must first check each server for patch levels, deploy the patch, test the server to make sure no conflicts exist, and perhaps, if they remember, document that the patch was applied.

    An automated system can simultaneously check what's already on each of 100 or 1,000 servers, simultaneously deploy the patch across those servers, ensure each server stays up and running, and update the blueprint, so it's accurate the next time a patch comes along.

    Perhaps even more importantly, automation can bring a much-desired consistency to this process. Consistency is crucial; installing the latest Microsoft hotfix on 999 out of 1,000 is not good enough -- the single un-patched server makes the whole environment vulnerable.

Question 5: How Do I Implement These Solutions?

To guarantee the security of their systems, companies must re-engineer IT around these two principles. This may sound overwhelming, but companies can introduce these concepts in a phased approach without a big up-front investment.

This means each new application rolled out should use a blueprint to design the system, and an automated system to update and patch it. And it means taking a look at existing applications, one by one, and applying this approach to them, starting with the most mission-critical, or revenue driving applications first. Prioritize automated patch management for externally facing applications, those most vulnerable if not properly patched every single time.

Companies spend more than $2 billion annually on patch research and deployment, according to Aberdeen Group. Using a blueprint of the system and automating patch management can save corporations significant time and money, as patches can be tested and rolled out quicker, requiring fewer man-hours. In addition, documenting all changes in a blueprint reduces the chance of downtime caused by unpatched servers.

Question 6: What Should I Look for in IT Vendors To Ensure Security?

  1. First, think of security as a must-have, rather than a feature.

    This means addressing it up-front with software vendors, before or separate from cost-benefit discussions that don't have anything to do with security.

  2. Second, select vendors that have thought of security from day one.

    For example, ask your software vendors about their approach to bugs in code, issuing patches, etc. Do they do a timely job responding to security issues for customers currently using their products?

  3. Third, look for vendors that can easily integrate with a tracked, automated system.

    You should be able to easily use and integrate their products without putting your entire system at risk, and easily apply best practices and an automated approach to their usage.

The Bottom Line

While the issue of cybersecurity will only increase in complexity as IT's sphere of influence expands, companies can dramatically reduce their risk of cyberattack by implementing a systematic, automated approach for patch management.


Return to the Beginning of this Document