Patch as Patch Can

IT managers face challenges in implementing proactive security.

For overworked administrators, the weekly flood of patches for new vulnerabilities can quickly lead to a vicious cycle of trying to solve the latest crisis. In the end, it does little to enhance the security of their networks.

Every time news of a new flaw emerges, administrators must quickly decide whether any of the hundreds or thousands of systems theyre responsible for are affected by the problem, download the patch, test it and apply it as soon as possible. Any delay in this reaction could lead to a disastrous compromise of the companys network and all the embarrassment and finger pointing that go with such disasters.

In an effort to get out of this loop, administrators and security specialists are relying less on the band-aid approach of patches and are moving to a philosophy that encourages locking down servers and removing as many threat vectors as possible from the outset. The idea is to anticipate the most common types of vulnerabilities and take away those avenues into the network before an attacker finds them.

The concept of hardening publicly accessible machines is certainly not revolutionary; its been a common practice among security veterans for decades. However, the advent of the public Internet and the wave of demand it created for greater access to more applications, services and databases has opened up attack vectors developers never anticipated. That, coupled with corporate downsizings that have forced many administrators with little or no relevant experience into service as security specialists, has created a dangerous mix of overworked, undertrained staffs trying to stay ahead of attackers who are often better informed and equipped.

"Most people believe that you buy software and you install patches, and thats what security is," said Alan Paller, director of research at The SANS Institute, in Bethesda, Md. "But thats not what protects people. The big pressure should be on safe configuration. But there arent enough knowledgeable people to do it. Were adding 2 million named systems per month to the Internet, and were not producing 3 percent of the number of new admins we need to handle that."

A recent vulnerability incident points out the advantage that knowledge of secure configuration tactics can give administrators over those who simply wait for patches.

When Internet Security Systems Inc.s X-Force research team last month released an advisory warning of three newly discovered vulnerabilities in BIND (Berkeley Internet Name Domain), the advisory said that patches for the problems were ready and provided an e-mail address at the Internet Software Consortium from which users could request the patches. However, the patches at the time of the advisory were available only to organizations that had paid the ISC a fee to receive early warning of problems with BIND. The ISC, which maintains BIND, established a limited-distribution, early- notification mailing list last year when word of another batch of vulnerabilities leaked before patches were available.

Michael Brennen, president of FishNet Inc., a Plano, Texas, domain registrar, wrote to the ISC requesting the patches and asked why they had not been made available at the time of the advisory. The ISC told him it wanted to make sure that the right audience had the patches first. "As of the moment of the announcement, the right audience should be expanded to include all those placed at risk because they use the software," Brennen wrote. "Failure to make the patches available suddenly puts many systems at rapidly increasing risk."

However, even without the patches, the BIND vulnerabilities can be almost completely mitigated using common secure configuration techniques. But such techniques are difficult to implement without advanced training, experts say. And many administrators dont have the requisite knowledge, so they end up relying on patches to fix the problem.

"Patches are, by their nature, merely reactive. Sometimes, a patch is not available until many days after a new virus, worm [or] exploit tool has already been making the rounds," said Jason Fossen, founder of Dallas-based Fossen Networking and Security, a consultancy that provides network security analysis. "To make a bastion host of ones Web server, on the other hand, is not merely to apply all the latest patches but also to try and anticipate vulnerabilities that have not been discovered yet. This means stripping away all the options, services, drivers, bindings and features that are not needed and then hardening whats left over."

But such training can be expensive and in a down economy is often not the top priority for companies trying to stretch IT budgets as far as possible. "Corporate management is what makes or breaks network security, not the IT staff," Fossen said. "If management doesnt believe in the importance of network security or understand even the basic terms of the issues involved, then there will be insufficient support for the IT staff; insufficient software, hardware and training funds; and insufficient organizationwide motivation to do anything about the problem."