Last summer, Canaccord Capital fell victim to an incident most companies spend a fortune trying to avoid. A virus wormed its way through the multi-national investment firm’s 2,000 desktops and 180 servers. The damage was extensive, says Scott Collins, the company’s Vancouver-based manager of technology
“”The Slammer virus hit us hard,”” says Collins. “”It went on for days, but we haven’t been hit since, and I won’t even knock on wood because we now have wicked anti-virus software running.””
Getting nailed by Slammer wasn’t a huge surprise, says Collins, considering Canaccord’s “”fly by wire”” patch management process.
“”I started (with the company)14 months ago and for months, I didn’t see a lot of patching going on,”” he says. “”Most of the time it was hands-off; people didn’t want to touch the systems because they were afraid of applications breaking as they installed the patches.””
Essentially, the multinational firm was caught in a security Catch 22: It had fallen behind on implementing service packs, and couldn’t install patches until its service packs were addressed. And that’s when Slammer hit.
Patching things up for protection
The lesson was a tough one, says Collins, but he’s confident the company now has a system in place that offers infinitely better protection.
One of the first tasks Collins undertook in fine-tuning the company’s patch management methodology, he says, was to get executive buy-in to a new way of doing things, which he admits was a relative no-brainer on the heels of Slammer.
“”We realized patching is a monumental task, and we also realized we had to come up with an ongoing process for doing it,”” says Collins.
Ironically, Collins and some of his staff attended a Microsoft-sponsored seminar on patch management just prior to the virus attack. He says he was impressed with the step-by-step process Microsoft laid out for doing quality assurance (QA) for patching.
“”It helped us huge with setting up a process for identifying a patch, QA-ing it, putting it into a test production environment and then a full production environment,”” he says.
Now, Canaccord has a “”communications hub”” for patch management, one IT point person who culls together all the security bulletins, for Microsoft and all other software vendors. He then communicates that information to department heads within the company.
“”We send out an e-mail, which Microsoft has structured and we fill in the blanks,”” says Collins. “”We explain the risk, the impact if we don’t patch, the impact of applying the patch, dependent systems, if we install the patch and it blows up, what happens?””
The result is a process that used to take “”20-odd days”” has now been slashed to about five.
For its part, Microsoft says it wants to be seen as solving security problems, not creating them, as has been its reputation in the past couple of years. The company is investing a “”huge portion”” of its US$6 billion research and development budget to secure its software and offer a better defence to customers. Part of that strategy will include locking down its software and thereby making it more resilient to attack.
“”We want systems that can almost protect themselves,”” says Carol Terentiak, Microsoft Canada’s security strategy and response manager. “”We’re better off to lock it down and have the user go in and open up the features they need.””
Going forward, Terentiak says what’s needed are dynamic systems that will recognize which applications are in play and be able to offer the appropriate protection on the fly.
“”That’s the direction we’re putting a lot of focus on: blocking bad behavior and allowing good behavior,”” she says.
Collins applauds Microsoft’s secure computing initiative, and says he’s especially pleased with the prospect of being able to apply patches without rebooting the OS.
“”They’ve gone from trust everyone to trust no one,”” he says.