Return to Main Menu
Some Ideas on Winning the CyberSecurity War
There must be a fundamental shift from addressing vulnerabilities in a
reactive mode to tackling them proactively. Cybersecurity is on
everyone's mind. Threats run the gamut, from domestic to foreign,
internal to external, from teenage hackers to sophisticated rings with
malicious intentions. So, how should corporations protect themselves?
And how do they implement security measures without breaking the
Question 1: What Is the Weakest Link?
What is the biggest vulnerability in most security systems? Any good
security expert will tell you that good security is mostly not about
technology. It is about the people, processes, policies, and ways in
which technology is used in an organization. People play a huge role
in cybersecurity, and people are not infallible. Even the best make
We know the basic human-error risks in security -- people don't always
follow security policies, creating holes in the system. But perhaps
the biggest weak spot of enterprise corporations and government
agencies can be found inside the hundreds of thousands of servers that
live within the data center . The number of required security patches
and updates for all these servers and the applications that run on
them is overwhelming.
According to the security group Attrition.org,
According to Attrition.org, in 2001, failing to responsibly patch
computers led to 99% of the 5,823 website defacements last year, up
56% from the 3,746 websites defaced in 1999.
- Microsoft alone released over 100 security patches last year.
- Sun Microsystems currently has no less than 35 security patches just for Solaris 7.
- With new patches being released by software vendorson
nearly a weekly basis, IT managers simply can't keep up.
- The result: Systems are more vulnerable than ever.
Question 2: How Big an Issue Is Failure to Patch Systems?
How big an issue has cybersecurity become? The number of software
vulnerabilities has increased tremendously.
According to Computer Emergency Response Team, federally funded and
operated by Carnegie Mellon University
These breaches hit corporations' bottom lines. According to the
Internet Security Alliance (www.isalliance.org), three attacks -- Code
Red, SirCam and Love Bug -- cost corporations over $13 billion.
- 2,437 vulnerabilities were reported in 2001
- 2,148 vulnerabilities were reported in the first half of 2002 alone.
- The increase in vulnerabilities translates into a significant
increase in breaches.
- In all of 2001, CERT reported 52,658 breaches.
- In the first half of 2002, that number jumped to 43,136.
The problem is not that patches don't exist for vulnerabilities.
In fact, the Gartner Group predicts that 90% of cyberattacks will
exploit known security flaws for which a patch is available or a
solution known. Such was the case with the incidents last year --
corporations could have protected themselves if they had quickly and
correctly applied existing patches to each of their systems.
Question 3: Why Is Patching Systems So Hard?
Corporations simply can't keep up with the increase in complexity, and
the scale of systems being managed. The issue is not that technologies
don't exist to address problems or that patches aren't there to solve
vulnerabilities, but rather that you must apply the same solutions to
a larger world.
That problem is magnified by the proliferation of IT across companies.
Business needs require IT organizations to keep secure an ever-growing
number of servers and applications.
Today's applications demand:
Question 4: What's the Solution?
- More servers
IT departments are running so many servers that sometimes they have no
idea what they're all used for. Sometimes the only way they find out
is by unplugging a server and seeing what goes down.
- More complex integration
The "plumbing" underneath applications is more complex, forcing IT
teams to tie together infrastructure products and their associated
- More uptime
Because external customers access applications, the need for 24x7
uptime has never been higher. A security breach doesn't just mean
employees can't access the intranet; often it means you're on the
front page of the Wall Street Journal, you lose revenue because
customers can't access your site, or your brand is damaged because
someone has stolen your customers' personal information .
IT organizations are realizing that un-patched servers are their
number one security threat. The damage from Code Red clearly opened
their eyes. To solve this, there must be a fundamental shift from
addressing vulnerabilities in a reactive mode to tackling them
proactively. The solution isn't to throw more people at the problem to
manually patch machines faster. Rather, companies must rethink the
management of their entire architecture from the ground up.
To address these challenges successfully, IT organizations need two
components to their approach.
Question 5: How Do I Implement These Solutions?
- Blueprint for a Systematic, Recorded Approach
IT needs detailed, up-to-date information about their servers:
No construction crew would build a house without a blueprint. The
blueprint is an up-to-date model that allows people to compare the
construction-in-progress ("what is") with the architect's vision
("what should be"). Most teams cobble together Excel spreadsheets,
Visio diagrams, and Post-It notes to track what's been patched and
what hasn't. An accurate blueprint of the environment is simply not
- Where is each server located?
- What software and patches are installed on each server?
- How is the software configured to work with the rest of the environment?
The results? An environment that is difficult to troubleshoot and
patch. A harried IT team always in fire-fighting mode. To solve this
problem, IT desperately needs an up-to-date blueprint or model of the
servers and the applications running on them.
The blueprint must be
detailed enough to describe the operationally relevant information
about a server, such as:
Furthermore, the model needs to update itself dynamically so
administrators aren't forced to update the blueprint manually after
they patch a particular server. This up-to-date blueprint keeps the
entire IT organization on the same page.
- What is the server's hardware configuration?
- What operating system version is it running?
- What software is installed on it?
- How is each software package configured?
- What patches are installed (or missing)?
- Automated Patch Management for Consistency
IT needs an automated way to make quick, consistent changes across a
large number of servers using the blueprint. IT departments are
bombarded with hundreds of fixes for hundreds of different software
packages installed somewhere in their enterprise.
Without an automated system, an IT administrator must first check each
server for patch levels, deploy the patch, test the server to make
sure no conflicts exist, and perhaps, if they remember, document that
the patch was applied.
An automated system can simultaneously check what's already
on each of 100 or 1,000 servers, simultaneously deploy the patch
across those servers, ensure each server stays up and running, and
update the blueprint, so it's accurate the next time a patch comes
Perhaps even more importantly, automation can bring a much-desired
consistency to this process. Consistency is crucial; installing the
latest Microsoft hotfix on 999 out of 1,000 is not good enough -- the
single un-patched server makes the whole environment vulnerable.
To guarantee the security of their systems, companies must re-engineer
IT around these two principles. This may sound overwhelming, but
companies can introduce these concepts in a phased approach without a
big up-front investment.
This means each new application rolled out should use a blueprint to
design the system, and an automated system to update and patch it. And
it means taking a look at existing applications, one by one, and
applying this approach to them, starting with the most
mission-critical, or revenue driving applications first. Prioritize
automated patch management for externally facing applications, those
most vulnerable if not properly patched every single time.
Companies spend more than $2 billion annually on patch research and
deployment, according to Aberdeen Group. Using a blueprint of the
system and automating patch management can save corporations
significant time and money, as patches can be tested and rolled out
quicker, requiring fewer man-hours. In addition, documenting all
changes in a blueprint reduces the chance of downtime caused by
Question 6: What Should I Look for in IT Vendors To Ensure Security?
The Bottom Line
- First, think of security as a must-have, rather than a feature.
This means addressing it up-front with software vendors, before or
separate from cost-benefit discussions that don't have anything to do
- Second, select vendors that have thought of security from day one.
For example, ask your software vendors about their approach to bugs in
code, issuing patches, etc. Do they do a timely job responding to
security issues for customers currently using their products?
- Third, look for vendors that can easily integrate with a tracked, automated system.
You should be able to easily use and integrate their products without
putting your entire system at risk, and easily apply best practices
and an automated approach to their usage.
While the issue of cybersecurity will only increase in complexity as
IT's sphere of influence expands, companies can dramatically reduce
their risk of cyberattack by implementing a systematic, automated
approach for patch management.
Return to the Beginning of this Document