Managing Updates, Patches & Security Fixes
In the past three or four months, various worms such as Blaster, SoBig, Nachi, and Welchia have hammered home the importance of downloading and installing critical security updates sooner rather than later. Of the 600,000 to 1M Blaster infections reported, experts believe that half the system administrators whose systems were hit knew about the problem, and about availability of patches. It seems these hard-working IT professionals simply put off installing them, waiting for an opportune moment, or for the next regularly-scheduled update cycle. As those folks learned to their horror and consternation, those who write code to exploit known vulnerabilities aren’t always subject to similar delays. By beating those poor administrators to the punch, so to speak, attackers were able to exploit vulnerabilities they shouldn’t have been able to touch.
Nevertheless, it’s hard not to sympathize with busy IT administrators, especially when rolling out updates or patches can involve hundreds to thousands of systems. To that end, Microsoft is working on various improvements to its update releases and deployment technologies, and plans to bundle up monthly security bulletins (the first one was released the week of October 15) and release media (development is underway) to help admins roll out such necessary updates. The company’s systems management tools, from software update services (SUS) to Systems Management Server (SMS) are being retooled to smooth out patch deployment, as are similar tools from third parties.
In the meantime, commonsense application of priorities and defenses can help prevent or limit potential vulnerability and exposure. By concentrating on perimeter systems, and all systems exposed to the Internet, administrators can roll out a smaller number of patches to such systems and eliminate vulnerabilities on such systems. Likewise, proper deployment and use of firewalls or screening routers–blocking TCP and UDP port 135 would have sufficed to foil most of the vulnerability from the aforementioned worms–can limit outsiders’ abilities to foist attacks on systems. In the same vein, mobile workers should have personal firewalls on their systems (to protect them from attack) and should also use VPN or similar remote access technologies to access internal networks (to prevent snooping or sniffing from revealing account names, passwords, and other sensitive data). Properly trained staff can even be instructed to install such patches themselves (Microsoft’s Web-based Windows Update makes this pretty straightforward for those with a modicum of technical know-how), if other options suggested here don’t apply.
Until technology is available to support fast and easy rollout of critical security patches on demand, savvy IT professionals must figure out ways to head trouble off before it comes knocking on their networks and systems. Careful thought and consideration of local working conditions, staff abilities, and application of best security principles and practices for protecting exposed systems can foil most documented exploits. Put your thinking cap on, and see how you can work within your current situation to get the word out, protect vulnerable systems, and block access to internal networks.