March 7, 2003 - - Volume 2, Number 3

Managing Security Updates
by Mark Altenbernd

Unless you’ve been off the planet for the past several years, you are aware of the security problems that plague the Internet and everyone connected to it. New viruses, worms, Trojam horses, and other threats are released everyday, and once or twice a year there is a major incident that affects vast numbers of Internet users and generates a good bit of publicity.

Many of the security vulnerabilities result from weaknesses in the software that we use everyday, both operating systems and applications. The most recent major disruption, for example, was the Slammer worm that hit the ‘net on the last weekend in January. Within minutes of its release, it had swamped the Internet with hundreds of millions of harmless messages that nonetheless denied service to millions of Internet users. The Slammer took advantage of a specific vulnerability that was known to exist with Microsoft’s SQL Server database management system.

It turns out that, for several reasons, Microsoft is the biggest offender when issuing software with significant security flaws. One of the reasons is simply the volume of computers that use Microsoft software. When a virus exploits a weakness in one of their products, it affects a great many people, magnifying its impact. But Microsoft also has been guilty of rushing software to market with too little consideration of its security weaknesses and too little testing for flaws.

To its credit, Microsoft takes the security issue seriously, and about a year ago they announced their Trustworthy Computing (TWC) initiative aimed at improving the quality and security of all of their products. They are beginning to build security standards into their software and to test much more extensively than they had been doing.

But even in the most rigorously designed and tested software, security vulnerabilities will appear from time to time. One of the most important aspects of the Trustworthy Computing initiative is Microsoft’s issuing patches and updates to correct specific security vulnerabilities as they are identified in software that has already been released. Microsoft manages a security mailing list that it uses to inform subscribers of new patches and updates as they are released. In addition, Microsoft maintains a number of Web sites from which users can download the various patches, updates, and service packs as they become available to correct various flaws and vulnerabilities. Among all of its products, Microsoft issues security patches at the rate of about one per week.

One problem that Microsoft has acknowledged but not yet adequately addressed is the enormous complexity and difficulty of the process of identifying, acquiring, and installing appropriate patches. The patches that Microsoft has released have tended to be difficult to understand, hard to install, badly documented, and frequently in conflict with one another. The Slammer worm illustrates this point. Microsoft had identified the vulnerability that Slammer exploited more than 6 months before January’s attack and had published a patch that definitively corrected the problem. Indeed, those SQL Servers that had the patch installed breezed through Superbowl Weekend without missing a step  – they were completely unfazed by Slammer. Yet far more instances of SQL Server were unpatched than patched, including a number of Microsoft’s own servers, which were as badly compromised as any other. Microsoft has acknowledged, somewhat sheepishly, that the process of installing patches is much too difficult and has promised to improve the process. The result of this difficulty, of course, is that most of the instances of SQL Server simply never had the patches applied and suffered accordingly.

Microsoft can certainly improve the ease of installation of patches and is working to do so. But the confounding complexity of patch management is endemic and stems from two sources:

1. The need to be aware of vulnerabilities and their corrective patches, as well as acquiring the patches;
2. The need to identify all of the machines – servers, workstations, laptops – that require a given patch, and then to meditate and record the actual patching process for each machine.

The first point requires that a data center have one or more extramural relationships with software vendors, such as Microsoft, that will issue patches. The second point requires extensive intramural activity to ascertain the software installed on all machines.  

It should not come as a surprise that several enterprising companies have seen patch management as a business opportunity and have used the power of computers and the Internet to automate and simplify the patch management process. These companies maintain constant contact with Microsoft and other vendors, accumulating software patches onto one of their own servers as the patches are issued. They also maintain contact with an update server machine in each of their clients’ data centers and from time to time download patches to those machines. 

The client’s update server runs a piece of software that performs the actual updating and patching of all of the machines on the local network. That piece of software is provided by the enterprising patch management company, of course, and performs its updates based on some sort of inventory of all of the software components installed on all of the attached machines. 

There are two distinct approaches to taking and maintaining machine-specific inventories. The first approach requires that a small piece of agent software be installed on all attached machines. The agents run unobtrusively in the background, accumulating a profile of installed software. Then when it is time to apply patches to the installed software, the update server quickly downloads the patches to each machine and oversees their installation, perhaps forcing a reboot of the system. The primary advantage of the agent-based approach is that the time-consuming work of inventorying a system is off-loaded to each system, utilizing computing resources that otherwise would go to waste and also minimizing network traffic. The disadvantage, although probably not a great one, is that the agent is just one more piece of software that must be installed, monitored, and kept current on each machine on the network.

The second approach to taking an assets inventory is agentless – nothing is installed on the networked machines, and when it comes time to survey machines and determine who needs what updates, it is all initiated from and run by the update server. The advantage to this approach is that nothing need be installed on the networked machines and the entire process is centralized on a single centrally located server. The disadvantage is that the process could create huge amounts of network traffic, potentially having a severe impact on network performance.

There are essentially 3 different ways to manage the security patching process at your company (well, actually 4, if you think that Do Nothing is a reasonable response to the threat). The most difficult approach, one that makes no sense at all, would be to do all of the patch management yourself without benefit of a patch management  package. A more reasonable approach would be to do it all yourself with the aid of one of the available patch management programs; but this is a reasonable alternative only if you or someone on your staff has both a moderately high level of system administration expertise and the available time to manage the entire process. The simplest approach for most small to mid-sized businesses is to outsource patch management to someone who specializes in the business, that is, someone like Altenbernd Consulting.

How much will patch management cost? Well, the actual dollar amounts can vary considerably, of course, depending on a number of factors, such as the number of machines and software packages involved, whether you are outsourcing the process or doing it yourself, and which patch management package you choose. But in general it is fair to say that the overall cost is Modest, especially when compared to the costs incurred by those who take the easiest route and do nothing.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We can help
At Altenbernd Consulting we have an array of Security Management Services, including a Security Update Management service, that are designed to relieve you of the burden of constant vigilance and protection. We can be a single-point outsource for your network security needs. Call us at (800 557-7634. Or visit our Web site to learn more about how we can help you: http://www.Altenbernd.Com..
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

© 2003 Altenbernd Consulting, LLC. All Rights Reserved.