Conficker worm proves enterprises must improve patch policies

By Ron Condon, U.K. Bureau Chief 23 Apr 2009 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

While most home PCs are automatically kept safe and up to date, often without their users even being aware of the fact, it was corporate systems that were badly hit by the Conficker worm.

For more on Conficker New Conficker variant has ties to Storm botnet Conficker.E drops the malicious Waledac worm, giving it the ability to spread to other vulnerable machines, and ultimately send spam.

Although Microsoft issued an unscheduled security bulletin, MS08-067, last October and marked it as 'critical' on all Windows-versions except Vista and 2008, vulnerability management vendor Qualys Inc. estimated that 30% of Windows machines were still unpatched when Conficker started to make an impact two months ago. The number of infected machines was variously estimated at anywhere between 8 and 15 million, although that number is thought to have fallen after the huge publicity about the infection.

But the impact still raises the question of why companies fail to take patching seriously. Remember that Microsoft's Patch Tuesday and most of the patch management industry only began after the phenomenon of worms such as Slammer and Blaster earlier this decade. Before the introduction of the fast-spreading malware, it was commonplace for systems to remain unpatched for months or years, and patching was a haphazard and unstructured process.

Despite those earlier events, however, many companies still choose not to patch, according to Jay Abbott, a senior manager at PricewaterhouseCoopers (PWC), who works with a wide variety of organisations. According to Abbott, businesses faced with the choice of taking down systems and applying patches that may cause problems will often avoid patching altogether. Instead they will try to find other ways of limiting the damage of a virus, such as installing extra firewalls and intrusion prevention systems.

"A lot of them say they can't risk down-time on a mission-critical system, so they don't patch," he said.

Senior management should be made to understand the risks of not patching, he said, rather than merely focusing on the damage that patching might cause. "You need to couch the argument in terms of risk management. In that way you can have a proper conversation with the business and justify why things need to occur."

"If you decide not to patch, then the level of compensating controls you need to put in [place] are significant. You need real belt-and-braces protection at the network and host layer, and a defined perimeter with limited connectivity to the outside world."

Chris Schwartzbauer, head of marketing for patch management company Shavlik Technologies LLC, agrees that patching can be hard. "Nobody likes to put software on servers. Nobody wants to fix something they don't believe is broken. Systems are fragile, and they don't want to touch them," he said.

There are other problems, too. Companies may have altered their applications, making them difficult to patch safely. "If they have a couple of hundred servers, they will probably have made some application modifications. Patching is impossible because it's no longer the native application."

Poor asset management can also make it hard for organizations to know exactly what applications are running and on what hardware. "If [companies] are growing fast, or they have taken over another company, people may not take the time to find out what version of Internet Explorer or IIS is running on the machine. If they don't know it's there, they can't patch it," Schwartzbauer said. "The proliferation of laptops coming on and off the network makes it even harder to do asset inventory and discovery. And with virtual machines and virtual applications, you have even more trouble. Offline VMs are very difficult to detect."

The way to reduce the risks associated with patching is by implementing proper change management procedures, he said. "Change management capability is essential so you know the before and after state of the systems. If organisations are confident that they can quickly restore a machine to its functional state, then they'd be more likely to patch it."

But some systems, such as servers running Windows NT4, will be beyond patching. Microsoft ceased supporting the operating system in December 2004, and as Abbott points out, there are nearly 200 unpatched vulnerabilities in NT4. "We still see the odd NT4 server in companies. We always advise people to phase them out as quickly as possible," he said.

Abbott added that while IT and security are still regarded in many businesses as a burden and a cost centre, it will always be hard to argue for regular patching. "More often than not, companies will have to get burned before they actually get the concept of the value of security," he said.

Tags: Security Policies and User Awareness,  Threat and Vulnerability Management,  Endpoint and NAC Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary