Vulnerability-assessment firm Qualys supported the statements, made during a panel discussion at the RSA Security Conference, with data culled from monitoring its clients' networks. The data, collected over two years, shows that it takes a month to cut by half the number of vulnerable computers connected to the Internet.
That's far too long to wait to fix the worst security flaws, said Gerhard Eschelbeck, chief technology officer and vice president of engineering for Qualys.
"What the data is telling us today is that we have a cycle of fixing vulnerabilities... that leaves up open to significant exposure," he said. "We need to make every possible effort to shorten the cycle."
The data and concerns spotlight a constant source of pain for corporate security professionals: much of a company's security relies on patching software flaws, but applying such fixes to critical systems takes time, leaving the systems vulnerable. The large number of systems vulnerable to the Slammer worm, which took advantage of a six-month-old flaw, underscores the issue, as does the MSBlast epidemic last August.
Microsoft announced in October that its quest to convince customers to regularly patch to secure software had largely failed. The company decided to revamp its patching systems, limit the release of fixes to once a month, and augment the upgrades with several other security initiatives aimed at locking down its customers' network perimeters.
The move to monthly patches got mixed reviews among the panel of experts.
"When Microsoft was sending out a lot of critical vulnerabilities, it got to the point where it was like the boy crying wolf," said Phillip Harris, vice president of information security for supermarket chain Safeway. "Instead of crying wolf all the time, they are crying wolf once a month."
He added that Microsoft's focus on delivering predictable upgrade intervals could work to the advantage of underground vandals and would-be attackers looking for a weakness in a company's systems. While Microsoft waits to perfect a patch, a company could be left vulnerable to an attacker that had already figured out the flaw.
"The people that are exploiting these vulnerabilities are not working on a schedule," Harris stressed.
However, another security executive said that the focus on taking time to produce problem-free patches should go a long way toward making it easier for companies to roll out the fixes quickly. Today, corporate security teams frequently find themselves testing the fixes to make sure that they don't break any critical business applications, said Dennis Devlin, vice president and corporate security officer for The Thomson Corporation, a business information provider.
"The best practice in [patching] comes from the Hippocratic Oath: do no harm," he said. "As long as the patches don't harm the systems, then they are good."
However, companies should also demand more from their software makers, said Mary Ann Davidson, chief security officer for database software maker Oracle. Developers need to start focusing, as Microsoft has done with its Trustworthy Computing Initiative, on changing development procedures to eliminate flaws, she said.
"I tell people to get out their pitchforks and firebrands," Davidson said. "You spend a lot of money on software, so you should get good software."
Davidson said one way to enforce better software practices is for the government to fund open-source tools to scan code for common security problems during development. Then, federal agencies could make it mandatory for their suppliers to use the tools and audit their code, she said.
Relying on private companies to fix the problem doesn't seem to work, Davidson said.
"Venture capitalists would much rather fund Band-Aid companies than vaccine companies," she said.
But for now, companies still have to work out how to find the flaws in the wide variety of computers that form the backbone of their business. The problem is daunting to say the least, said Safeway's Harris.
"At times I feel that we are being managed by the problem, instead of managing the problem," he said.
Talkback
It's simple - something which AV vendors (such as NAI) have been doing for ages.
1. Have a server based Windows/Office Update program to schedule download the patch/fixes
2. Have client pc's schedule to download and install patches/fixes from the server, thus reducing the requirement for a new download each and everytime.
Simplicity.
the problem is that the patches sometimes cause problems with applications. Just pushing it out from a server isnt going to work, some patches prevent other apps from working or change the config. Anti-virus servers only update filesthat the applications uses they dont change how the system works and doesnt update security vulnerablilities. Patches change how the OS works which is where the problem lies.
"I tell people to get out their pitchforks and firebrands," Davidson said. "You spend a lot of money on software, so you should get good software."
No Ms. Davidson, you spend enormous amounts of money on ORACLE software!
The company I work for migrated from Windows XP-Pro to MacOS-X some months back for this very reason. The owner finally detemined the need for constant updates to our Windows boxes and the endless barrage of worms and such wasn't worth it anymore.
While the Windows boxes served us well for years, I must say that we're all impressed with OS-X. Especially our IT gal. Yes. I said, gal.
She uses a tool called Apple Remote Desktop which makes updating all our computers a snap. Using this application, she can update every computer in the building from a single computer all at the same time. We go home at the end of the day and when we return the next morning, , all 300+ computers are up to date.
I don't know much about this product, but from what she's told me, she can do much more than just updates to the OS.
Anyway, Now that the company has moved to Apple, I'm considering getting one for home too. Like everyone else at work, I'm rather impressd by these machines.
what an incredulous claim Mary Ann Davidson makes. with all due respect, to make scans for common flaws mandatory makes absolutely no difference to the biggest software flaws we find today. the flaws exploited nowadays are increasingly obscure. little things like the way the address bar processes URLs. i wonder what sort of security scan could detect THAT--something that's really not a flaw, but can be exploited. you need humans to do such things, and face it, the fact is, some problems will remain no matter what you do.
on another point, about moving to Mac OS X, if that was based solely on security, then it's a waste of money. patching windows is not difficult at all. with the recent linux root access flaws, i wonder if OS X is truly that secure (since it is unix-based). or if people just havent begun noticing it yet.