Patch me if you can

As the number of remote and mobile workers across all sectors continues to grow, so too does the challenge of guarding corporate networks against worms, viruses and other forms of security attacks.

The recent Zotob worm outbreak, which brought down computer systems in North America last month, left companies with only a week to test and deploy the Microsoft-issued patch before the vulnerability was exploited.

Keeping up to date with the latest patches is one of several key challenges facing enterprises today. That’s why having a solid patching strategy has become increasingly critical in recent years, experts say.

“One of the biggest pitfalls in patch management over the last couple of years is, unlike anti-virus software, when you’re patching a system you need to be sure that it’s been tested up against your standard operating system environment for the company,” said Thom Bailey, director of product management at Symantec Corp.’s enterprise administration unit. “It’s becoming a challenge for large organizations to see how they can turn those patches around in the quality assurance process or in the test.”

Twenty-four hours after the Zotob worm hit, London Health Sciences Centre (LHSC) had most of its machines patched, said Peter Gilbert, director of information technology services at the southwestern Ontario hospital.

“We have a fairly large population of thin clients in our clinical areas that are immune from viruses or, worst case, the virus will trigger a reboot,” said Gilbert. “Our firewall has been fairly effective but where we have difficulty is when a virus is introduced internally by somebody who’s brought a laptop, or a memory stick, from home.”

Likewise, Wurth Canada Ltd., which sells fixing and assembly materials like screws, wasn’t affected by the worm as its ERP application runs on an IBM mid-range system under AIX, leaving it pretty much immune to anything that goes on in the Windows world, according to company IT manager Richard Kipin.

“The only thing patches would affect is if somebody couldn’t access a spreadsheet or Word document,” said Kipin.

Despite dodging worms like Zotob, Kipin has to put up with some of Wurth’s 250-member mobile sales force that have been known to turn off the Symantec corporate anti-virus software installed on their machines.

“Some of them don’t want their systems updating all the time and can’t be bothered waiting for things to happen,” said Kipin. “That is a bit of a problem and I’m sure it’s a bit of a problem for everybody that has remote workforce.”

Wurth recently upgraded 95 per cent of its sales team with the latest editions of Microsoft Windows XP Pro and Symantec Anti-Virus software packages running on Dell machines. Users are not even permitted to install any new software applications or drivers for devices like printers, Kipin added.

Situations like this are making patch management — or what is now being referred to as vulnerability management — even more complicated for organizations with a remote and/or mobile workforce, said Deloitte IT security practitioner Simon Tang. Employees that work from home, for example, often use personal computers in which case the software is owned by the employee and not the organization.

“As long as a machine or computer is connecting to the internal corporate network they should be subject to the same standard,” said Tang. “The technology has been available for a long time to deploy patches to remote machines.”

This, however, raises questions about who has the authority to install patches and whether the company has checked the legitimacy of the employee’s system.

“You can’t really force a patch on a home machine because they have to do testing for their own software,” said Gilbert. “If we could push Microsoft patches to them we would but they’re not Microsoft-owned assets.”

LHSC uses both VPN and Citrix-based solutions and two-factor authentication RSA tokens for its employees using remote access from their home machines. The hospital also gives them a copy of its anti-virus software to install, which maps them to the vendor’s site to get the latest signature files. Likewise, Wurth also uses RSA security technology to lock down access to its portal called WurthNet where sales reps can check prices and stock availability of items, for example.

“We are using RSA secure ID because it’s more important that we know who is coming into it as opposed to the information that’s there,” said Kipin.

Having scanning technology to detect if there’s a new vulnerability is one of several best practices that companies should have in place when developing a patching strategy, said Bailey.

“Like anti-virus, patch scanning needs the active content. It needs to know the list of known vulnerabilities,” he said. “Having a piece of software that can kick off a scan and whenever available ensure that it’s running the latest scanning software so that at corporate headquarters they’re aware of the vulnerabilities.”

Deloitte’s Tang, however, warns that securing the endpoint perimeter of a corporate network remains one of the more difficult tasks for organizations.

“Typically the remote workforce tends to be weaker because a lot of the times their systems don’t get updated as often as other systems do,” he said.

Both Tang and Symantec’s Bailey also recommend companies undergo some kind of security and vulnerability assessment, which LHSC does annually. During a recent audit, for example, the hospital discovered that some machines had been put on its network without the IT staff’s knowledge. The audit also found some machines registered as printers.

“A company should have a very good idea about their IT assets and then they should have a very good data classification,” said Tang. “They should know what systems ought to be protected. It’s a lot easier to deploy patches on 20 critical servers. Then they can roll it into the medium risk classification and then into the general population.”

Despite all of these preventative measures and the availability of automated patch management software like Microsoft’s System Management Server, Gilbert said verification of a patch remains a manual effort.

“Work needs to be done to shorten the validation life cycle as much as possible without putting any of the applications at undo risk,” said Gilbert. “We would need a lot more time to test a patch given all the different machine types and configurations in the hospital. Finding a way to validate that automation process would be a big gain for us.”

Tang suggests companies can save time by deploying a patch into the development system and have a test running in real time so they can test the compatibility of patches. Businesses, however, aren’t doing this because of lack of resources and the compatibility issue, he added.

“It’s the patch or not to patch issue,” said Tang. Another alternative might be deploying virtual management software to replicate all of an organization’s devices, said Bailey.

“They can run these 24-7 and apply software up against it,” he said. “They don’t’ have to worry about keeping a quality assurance lab of all the hardware sets. They can replicate that virtually.”

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+