Shoddy patching invites more breaches

The time it takes hackers to exploit a software vulnerability is shrinking, and IT departments are already finding it difficult to keep up with the deployment of necessary patches.

Though a patch exists for it — and has existed for more than 18 months — the Slammer worm isn’t going away. For

the second year in a row, it was ranked No. 1 in Symantec Corp.’s yearly roundup of worms and viruses responsible for attacks.

In the first six months of 2004, Slammer accounted for 15 per cent of attacks on IP addresses. This shows organizations either aren’t properly patching their systems or, if they are patching, are missing some systems within their confines, says Michael Murphy, Symantec’s Toronto-based Canadian general manager.

“”It’s very difficult for a lot of organizations to consistently apply patches to every single server or machine in their organization,”” agrees Gartner Inc. analyst Arabella Hallawell.

This is a concern as Symantec’s Internet Security Threat Report also found that the amount of time it takes for hackers and crackers to exploit a vulnerability once it has been discovered has dropped from seven to 5.8 days.

“”Corporations have very little capability to patch systems or even discover systems that need to be patched,”” Murphy says.

Not only is there a shortage of skills and security professionals in Canada, he says, but IT workers are “”overwhelmed”” by the sheer variety of the computing systems under their care and the complexity of threats.

Further complicating matters is the existence of rogue systems that employees bring into a company, Murphy says.

There were 1,237 new vulnerabilities between Jan. 1 and June 30, which means organizations have to deal with an average of almost seven new vulnerabilities per day. More than 70 per cent of these new vulnerabilities are considered easy to exploit, the report found.

Furthermore, 96 per cent of the vulnerabilities represent either a moderately or highly severe threat. Symantec defines moderately severe threats as those that give an attacker enough access to a system to compromise or damage it, and highly severe threats as those which provide full system or administrative access.

Symantec documented 4,496 new Windows-based viruses and worms in the six-month period of the study. That represents an increase of 4.5 from the same period a year ago.

Also on the rise are threats from Gaobot and its variants — to the tune of a 600 per cent increase over the past six months, the report found. “”That’s an alarming rate of growth,”” Murphy says.

The intention behind attacks is changing from individuals seeking bragging rights and notoriety to attacks motivated monetary gain, he says.

Canada ranked in the top five in terms of attacks originating within our borders because it has a high adoption of broadband, Murphy says.

IDC Canada’s research echoes Symantec’s study. The analyst firm has also found the length of time it takes for hackers to exploit a vulnerability is decreasing, says David Senf, a senior analyst at IDC Canada in Toronto. And organizations aren’t applying the patches within a reasonable length of time, he says.

This is despite the fact that more than 80 per cent of Canadian organizations say they are seeing a loss of business productivity due to security breaches, he says. “”They’re not calculating the cost and understanding what it means.””

IDC recommends a six-step patch management process for organizations, most of which do not have an end-to-end systematic approach, Senf says. First, organizations must lay the foundation by surveying all their assets. Second, companies must assess which systems need patching and whether there is an automated patching process available from an authentic source. Third, organizations need to assess and test available patches.

Fourth, organizations need to have a rollback plan for patches — a contingency plan they can put into effect if a patch causes unforeseen damage. Fifth, organizations should roll out patches in predefined schedules using best practices. Lastly, IDC recommends validation reporting and logging. Organizations should regularly review their log files, Senf says.

Share on LinkedIn Share with Google+