Last week's W32.Blaster worm, which affected thousands of computers worldwide running Windows operating systems, highlighted the enormous challenge companies face in keeping their systems up to date with patches for vulnerabilities, users say.
Companies that, ahead of Blaster's rampage, had installed Microsoft's patch for a flaw identified last month say they felt no effect from the worm. But the seemingly constant work involved in guarding against such worms is becoming a burden that could prove unsustainable over time, users say.
"The thing about patching is that it is so darn reactive. And that can kill you," says Dave Jahne, a senior security analyst at Phoenix-based Banner Health System, which runs 22 hospitals.
"You need to literally drop everything else to go take care of [patching]. And the reality is, we only have a finite amount of resources" to do that, Jahne says.
Banner had to patch more than 500 servers and ,000 workstations to protect itself against the vulnerability that Blaster exploited. "I can tell you, it's been one heck of an effort on a lot of people's part to do that," Jahne adds.
For the longer term, Banner is studying the feasibility of partitioning its networks in order to minimise the effect of vulnerabilities, he says.
Adding to the patching problem is the fact that companies, especially larger and more distributed ones, need time to properly test each patch before they can deploy it, says Art Manion, an internet security consultant at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
That's because patches haven't always worked or have broken the applications they were meant to protect, says Marc Willebeek-LeMair, chief technology officer at TippingPoint Technologies, an Austin-based vendor of intrusion-prevention products.
Companies also need to schedule downtime in advance to deploy such patches, says Kevin Ott, vice president of technology at Terra Nova Trading, a Chicago-based financial services firm.
"We work in a 24X7 environment, so there is a limited scope for downtime" in which to deploy patches, he says.
But the stunning quickness at which Blaster exploited Windows' remote procedure call vulnerability is a sign that companies are going to have to respond to new threats even faster than they do today, says Chuck Adams, chief security officer at NetSolve, an IT services company in Austin.
Although worms such as SQL Slammer didn't appear until eight months after the vulnerability was announced, Blaster was released in just one month, Adams says.
That means companies will need to somehow find ways to lessen the time it takes to test and deploy patches, says Vivek Kundra, director of infrastructure technologies for Arlington County, Virginia. Currently, Arlington County needs about three or four days to push out patches across its networks.
"[Three or four days] is not going to work any longer," Kundra says. "I need something that can cut the process down to a few hours, if not minutes."
The county is looking at outsourcing its patch management process to a third party. Also under consideration is a plan to adopt a more automated process for testing and deploying software patches, Kundra says.
"Sometimes [patching] can be more an art than a science," says Hugh McArthur, information systems security officer at Online Resources, a McLean, Virginia-based application service provider for more than 500 financial institutions.
"There will be times when you may need to make a judgment call balancing risk, appropriate testing [and] mitigating factors," he says.
Even so, patching remains the best available option, according to Bruce Blitch, CIO at Tessenderlo Kerle, a multinational chemical company with US headquarters in Phoenix.
"Everyone would no doubt agree that having completely error- and exploit-proof code would be the most desirable situation," Blitch says. In the absence of that, he says, "we're convinced that [patching] is the best strategy."