Smart Vulnerability Management

By Jodi Mardesich

When the worm Blaster hit the Internet last year, many companies were devastated, experiencing downtime and loss of productivity. The worm had been designed to take advantage of a security hole in Microsoft Windows, and where it found that hole, it slinked right through, triggering a denial of service attack.

Not all companies using Microsoft Windows were impacted, however. Those organizations whose CIOs had updated their operating systems in a timely fashion avoided vulnerability to Blaster. The episode demonstrates the business-critical necessity of maintaining a frequent assessment of vulnerabilities and proactively shoring up system weaknesses where discovered.

Though Blaster is becoming a distant memory for many CIOs, malicious hackers continue to take advantage of system vulnerabilities, which are being discovered at the rate of about seven per day, security experts say. The attacks can be costly, too. Last June, for example, hackers exploited a flaw in Microsoft's Internet Information Server and redirected visitors from many commerce and banking sites to a Russian Web site, where sensitive and private customer data was gathered.

The pressure to keep up with software updates has increased. In the past six months, the length of time taken to release code that exploits known system flaws dropped to less than a week. One worm, called Witty, surfaced just two days after the vulnerability it exploited was made public. The likelihood of damage becomes greater when holes are found in widely deployed operating systems and applications. A smart approach to vulnerability management is essential to thwarting potential attacks and maintaining business continuity.

• Assess Weaknesses. Vulnerability assessment is a process whereby IT professionals make an inventory of their software and hardware assets, track patches and software updates, and manage the deployment of patches and fixes that can prevent potentially devastating attacks. It is not enough to identify vulnerabilities -- smart CIOs should define a process aimed at discovering, prioritizing and managing fixes across a large organization.
  
  
• Make an Inventory. Identify the computers, operating systems, applications, and the versions of all these different components of the network. Find out which have been patched or updated, and how recently. Such an inventory helps to record the status of all aspects of the infrastructure, essentially setting a barometer, before deploying updates.
  
  
• Assess Systems. Determine what needs to be done to protect the network. This process includes identifying security standards and creating policies for how security and standards should be enforced. It also includes periodic scans of the system, checking for viruses and monitoring event logs for intrusion attempts.
  
  
• Keep Current. Knowledge is everything. Scan Web sites and news sources, and sign up for e-mail notification from vendors to be educated on new threats or weaknesses that could be exploited.
  
  
• Educate Staff. Make sure personnel are educated about the company's policies on vulnerability assessment and patch deployment, and that there are sufficient personnel in place to implement strategies. 

Patch Management
 
No vulnerability assessment strategy is complete without an element of patch management. This task requires IT professionals to be informed of the patches that are available, determine which are important to the company to fix, prioritize rolling out the fixes that are necessary and prudent, and do so with the minimum disruption to the day-to-day business. Both applications and operating systems vendors release code to patch security holes in their programs when weaknesses are identified.

The management of patch deployment has become more than an afterthought; it is an essential business practice. More CIOs are choosing to install applications that automate the deployment of patches. Vendors offering such software also track patches and fixes, lessening the burden on corporate IT to do all the research. Whether automation is involved or not, CIOs must make patch management processes a regular part of their vulnerability management strategies by taking the following steps:

• Do a periodic audit. Find out which updates have been installed, and which haven't. Check the results for completeness.
  
  
• Perform an ongoing patch update. Performing an audit isn't enough; new vulnerabilities are discovered often, as are patches to address those vulnerabilities. Identify an appropriate interval for performing audits, and set deadlines for performing the periodic audits.
  
  
• Set priorities. Determine which fixes are necessary and prudent, keeping business processes top of mind.

Without an effective patch management strategy, corporations can suffer computer downtime, interrupting critical business systems-costing the company, both in dollars and credibility. Strategic patch management strategies help the CIO maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of the corporate environment.

These costly assaults on corporate networks can be avoided with a proactive strategy that combines the assessment of system vulnerabilities and the management of software patch deployment. According to US-CERT, which publishes a database of vulnerabilities, understanding and preparing for potential security problems enables businesses to maintain secure computing environments.

Jodi Mardesich writes about business and is a former staff writer for Fortune.