Experts said the rapid spread of the Remote Procedure Call (RPC) worm last week provides a textbook case of why enterprises need to take a layered approach to security management.
Companies today are no longer threatened by classic viruses, but rather with blended threats, said Mark Nicolett, vice president and research area leader at Gartner Inc., a Stamford, Conn., consulting firm. Therefore, they cannot rely solely on antivirus software or patching.
Since there are a variety of methods that malicious code uses to propagate itself, enterprises need a layered approach. "We are advising clients to have a program in place that periodically installs service packs and bundles of patches," he said.
Nicolett said enterprise customers can't get too far behind in terms of their maintenance chores, and he advises customers to make small updates rather than holding off for larger ones.
In mid-July, Microsoft alerted users to the RPC vulnerability and issued two strong recommendations for users to patch. Microsoft identified the worm, also known as Lovesan, Blaster and MSBlast, on Aug. 11.
Plenty of customers were caught flat-footed by the worm, but those who responded to Microsoft's two alerts were in good shape. Barton Malow Co., a Southfield, Mich., construction company, had recently purchased a patch management system, but even before installing the software it had used a thorough security plan.
Paul Johnson, a chief network engineer at Barton Malow, said that he and his team reviewed the vulnerability and quickly tested Microsoft's patch, which was pushed out first to servers and then to workstations using patch management software made by Altiris Inc., Lindon, Utah
"We manage about 1,300 systems, and in the four or five days since the worm hit, we only had four or five computers affected," Johnson said.
Nicolett recommended that companies decide in advance how they will handle an exposure early on -- when the vulnerability is discovered and a patch becomes available. In the case of the Lovsan worm, the evolution of the threat was well documented. The exploit was published and Microsoft issued two warnings.
If this happens, it's not the time to place the patch in a bundle to be distributed in three months, he said. "In this case, it was clear that probing had begun, so the priority gets raised," Nicolett said.
But what often slows down the patching process is that many large companies have a number of systems, and patches must be quality tested before they are applied. Nicolett said companies can also shield and block when there is evidence of an exploit and it's clear which ports and services are involved.
Using this strategy, customers can determine whether they are letting traffic through on those particular ports and whether they can be shut down. For some companies, there is no reason for the particular ports in question to be open. For others, there are valid reasons.
Customers also often don't patch because they are inundated with so many security updates that the volume of information has a numbing effect. "With the flood of e-mail, it all gets lost in the roar," said Barton Malow's Johnson.
With this worm, Microsoft made a point of sending out more warning e-mails than normal, which caught the attention of administrators at Barton Malow. Because of this, the company ensured there was no lag time in getting the patch out to its servers.
Apart from the need to test patches for quality, there are other reasons that customers don't react right away. The time between the announcement of a vulnerability, the assessment of its importance and patch deployment cycle has sped up so much that a quick response is often difficult.
"You often don't have time, the way these things spread," said Douglas Spindler, project rollout coordinator at Ernest Orlando Lawrence Berkeley National Laboratory, Berkeley, Calif.
With vulnerability alerts and patches coming fast and furious, many companies don't have the staff to do the patching. Small and medium-sized companies don't have people who are designated for that purpose, said Rod Trent, an IT consultant and president of MyITForum.com, a Web community devoted to Windows manageability. Large companies shouldn't have that excuse, but often it has to do with not getting management "buy-in" from senior executives.
FOR MORE INFORMATION:
Article: Lovsan made some pay dearly
Best Web Links: Security