The trouble with patches
A spate of recent computer attacks indicates that software fixes distributed after the fact cannot make the Internet safe, and are themselves too numerous and too burdensome to install.
From hackers theft of the Windows blueprints from Microsoft last October, to Russian gangsters robbery of thousands of credit-card numbers last week, to kids launch of a pro-Linux computer worm in January, security experts said these attacks all happened because someone did not update a system that should have been fixed.
The problem, anti-hacker Bruce Schneier said, is that almost no businesses install patches additional code written to plug security leaks as quickly as they are distributed. He counted 19 such fixes in the first week of March alone. "Its simply impossible to keep up," he said.
Schneier, chief technology officer at Counterpane Internet Security and author of the influential security newsletter Crypto-Gram
, is getting plenty of support for his position, even if it is sometimes qualified.
"Hes absolutely right," said Peter Neumann, principal scientist at SRI International and moderator of the computer RISKS forum. "Patches are fundamentally useless, especially in an environment in which there are more flaws in the system than there are patches, and typically more patches than there are system administrators to administer them."
Demanding better software is an obvious solution, but useless as long as companies compete over product cycles that are nine months or shorter, Schneier said. Instead, computer users should monitor their networks closely to detect intrusions before a hack reaches fruition.
Chris Wyscopal, research and development manager at security company @stake, said companies that host others Web sites are very vulnerable. "They will have hundreds and hundreds of machines running and theres just no way they can possibly keep them patched," he said.
Companies can avoid many problems by simply disabling some of the features that come with server software, Wyscopal said. That means assuring Web servers, for instance, cannot accept e-mail or transfer other files unless approved and monitored by the people in charge of them.
Marcus Ranum, president of NFR Security, said companies will soon be able to update PC software remotely, just as home users update Windows without a hitch. At that point, he said, network administrators biggest challenge would be knowing whether a PC can be updated without causing problems with software already installed.
Kawika Daguio, president of OS Crypto in Landover, Md., said businesses should learn from banks. Many of those, he said, concentrate on the most vulnerable computers and leave the rest for occasional software updates.
No one needs a perfectly secure system," Daguio said. "What they need is a system that is secure enough for the business they are in."