Security is not a quilt, so let's patch less
- 13 August, 2003 22:00
By the time you finish reading this column, another alert will have been issued or new patch code posted regarding the latest vulnerability that has been deemed "critical" by one of your vendors.
From the moment new vulnerabilities appear, application vendors work frantically to develop an effective patch, which their customers then rush to test and implement. This race is repeated weekly, daily or even multiple times per day, creating a vicious cycle in which IT personnel spend too much valuable time patching systems.
Patch-mania has spawned a group of products that help companies manage their patching efforts. Unfortunately, by relying on a patch-management system to fight the vulnerability battle, you're likely to lose the security war. I'm not implying that patch-management systems cannot be effective, because some are. The problem is the underlying approach to security that necessitates these systems.
Today's approach to patching is the equivalent of every person in the US immediately testing and contemplating an inoculation for every known disease, without respect to whether they are likely to be exposed, or to the health cost if they are exposed. This approach is not only time-consuming and costly, but also nonsensical. Do we really need a management system to inoculate every US citizen for typhoid? No. Humans are vulnerable to typhoid and the cost of infection could be very high, but the disease poses no threat to most people living in the US.
Before patching, companies need to investigate not only whether they are vulnerable to attack or infection, but also the likelihood of attack or infection (threat) and the resulting impact (cost). According to research conducted by TruSecure, the average Global 2000 corporation can reduce the number of patches that are short-term concerns to less than 4% of those issued simply by reconfiguring its existing security resources properly and taking a more proactive stance on security. This means that 96% or more alerts and patches from technology vendors are not crucial and carry no near-term security risk to most companies.
There are even some instances where a company is vulnerable - the threat level and cost of infection are high - but patching still is not the answer. Aggressive patching ranked last of the seven measures that actually worked to protect companies from the SQL Slammer worm that struck earlier this year. The other six protective measures were all proactive and generic - and all were much easier, less expensive and more effective against not only the Slammer worm, but against the majority of attacks.
Isn't it time companies realise that throwing more money and resources at a problem that is only getting worse is not the answer? Don't security practitioners understand that now's the time to take a proactive stance and address only vulnerabilities that pose the greatest security risks? If the answers to these questions are "no," it must be time to patch again.
Tippett is CTO of TruSecure and a member of the Presidential Information Technology Advisory Committee.