CyberSecurity Institute

As the window shrinks between the discovery of vulnerabilities and the exploits that follow them, security patching — once an obscure and neglected chore — is beginning to take on a more urgent role in some corners of the business world, say analysts and IT managers.

Leading the way are organizations with mission-critical technology — chiefly finance agencies — who’ve managed to reduce critical security patch times from weeks to just days.

“In some cases, it took 200 days to roll out a patch across 36,000 machines,” says Rober Garique, VP and CISO of the Bank of Montreal. “Now we can do that in less than a week.”

The key, they say, is that they’ve moved patch management from their small security organizations into their network infrastructure management. It’s a culture shift — a new way of working with network administration, says Mike Corby, director of META Group Consulting. In this model, security teams rate the criticality of each patch, but administrators manage the actual patching as part of their normal network and system management processes.

So the different system administration groups should do their own testing and patching as part of their overall system management.”

For non-critical patches, each bank folds the patches into administrative updates in cycles of one week, three weeks or further out, depending on severity. At Bank of Montreal, this approach gets critical patches to onto over 30,000 devices in two-to-three days.

The Bank of New York boasts similar deployment speeds for an equally-large network.

For non-critical patches, each bank folds the patches into administrative updates in cycles of one week, three weeks or further out, depending on severity. With network administrators handling patch management, IT security is free to assume more of a role of advisor and 9-1-1 operator, sending alerts to administrators assigned to patch the networking segment.

“About two years ago, awareness among the infrastructure people was an issue when we used to rely too much on the severity ratings provided by the vendors,” says Eric Guerrino, senior vice president and head of information security for Bank of New York.

At Bank of New York, the infosec team takes alerts and reports from vendors, CERT, the Financial Services ISAC, vulnerability alerting services, the media and other sources of information. “Sometimes, especially on the network, most of the critical patches we’re concerned with need to be rolled out at the edge devices but not necessarily the entire network. So we’ll give it rating of high for servers in the DMZ, and a medium rating for everywhere else,” says Guerrino.

Network administrators at both banks use vulnerability and asset management tools, along with network protocols and network management tools to keep track of devices, services, versions and patch levels.

The key is continuous assessment of your network devices, their versions, and their patch levels. And you need to assign asset value to those systems — for example a financial or health care database is more critical and sensitive than, say, your Web server,” says Abraham Kleinfeld, president and CEO of nCircle, a vulnerability assessment vendor in San Francisco.

“Buying Time” with Firewalls Guerrino and Garique say that their security patching routines have become sane — nearly predictable, except for when the occasional big one hits.

http://www.securityfocus.com/news/9100

Case in point, the June 25th Russian attacks that turned IIS servers into delivery platforms for identity-thieving Trojan keystroke loggers. The attacks relied on two vulnerabilities in Internet Explorer that security researchers discovered for the first time weeks earlier on a malicious adware-implanting website. At the time of the attack, no patch was available. ISPs were able to quickly contain the threat by shutting down traffic to the Russian host serving up the malware. But the episode proved that the zero day concern is more than hyperbole.

“We believe zero day vulnerabilities are imminent. says Oliver Friedrichs, senior manager at Symantec’s Security Response center.

As the window shrinks between the discovery of vulnerabilities and the exploits that follow them, security patching — once an obscure and neglected chore — is beginning to take on a more urgent role in some corners of the business world, say analysts and IT managers.

Leading the way are organizations with mission-critical technology — chiefly finance agencies — who’ve managed to reduce critical security patch times from weeks to just days.

“In some cases, it took 200 days to roll out a patch across 36,000 machines,” says Rober Garique, VP and CISO of the Bank of Montreal.

“Now we can do that in less than a week.”

The key, they say, is that they’ve moved patch management from their small security organizations into their network infrastructure management.

It’s a culture shift — a new way of working with network administration, says Mike Corby, director of META Group Consulting.

In this model, security teams rate the criticality of each patch, but administrators manage the actual patching as part of their normal network and system management processes.

“This is part of the natural evolution of security,” says Garique.

So the different system administration groups should do their own testing and patching as part of their overall system management.”

At Bank of Montreal, this approach gets critical patches to onto over 30,000 devices in two-to-three days.

The Bank of New York boasts similar deployment speeds for an equally-large network.

For non-critical patches, each bank folds the patches into administrative updates in cycles of one week, three weeks or further out, depending on severity.

And they’re the ones held accountable for 99.9% availability – not the security people.

Once they’re aware of their ownership of the problem, they’re professionally accountable.”

Avoiding the Chicken Little Syndrome With network administrators handling patch management, IT security is free to assume more of a role of advisor and 9-1-1 operator, sending alerts to administrators assigned to patch the networking segment.

“About two years ago, awareness among the infrastructure people was an issue when we used to rely too much on the severity ratings provided by the vendors,” says Eric Guerrino, senior vice president and head of information security for Bank of New York.

At Bank of New York, the infosec team takes alerts and reports from vendors, CERT, the Financial Services ISAC, vulnerability alerting services, the media and other sources of information.

“Sometimes, especially on the network, most of the critical patches we’re concerned with need to be rolled out at the edge devices but not necessarily the entire network.

So we’ll give it rating of high for servers in the DMZ, and a medium rating for everywhere else,” says Guerrino.

Network administrators at both banks use vulnerability and asset management tools, along with network protocols and network management tools to keep track of devices, services, versions and patch levels.

The key is continuous assessment of your network devices, their versions, and their patch levels.

And you need to assign asset value to those systems — for example a financial or health care database is more critical and sensitive than, say, your Web server,” says Abraham Kleinfeld, president and CEO of nCircle, a vulnerability assessment vendor in San Francisco.

“Buying Time” with Firewalls Guerrino and Garique say that their security patching routines have become sane — nearly predictable, except for when the occasional big one hits.

http://www.securityfocus.com/news/9100

According to data compiled by WebSideStory, Internet Explorer’s market share has dropped 1.32 percentage points since June 4, the first marked decay in IE’s leadership since 1998.

“Sometimes these are just spikes,” said Geoff Johnston, an analyst with WebSideStory, “but this has become a very predictable trend.”

Internet Explorer has had more than 95 percent of the browser share for the past two years, and until early June of 2004, had owned about 95.7 percent of the market. Within the last month, however IE’s share of the U.S. browser business fell from 95.48 on June 4 to 94.16 on July 9. Netscape and Mozilla, meanwhile, saw their share climb from 3.54 percent to 4.59.

“The past couple of years, IE’s share has been pretty steady. But this is the first time we’re seeing an actual trend,” said Johnston.

A one-and-a-third point loss may not set alarm bells ringing at Microsoft, but when one considers how many people use the Internet, the number of users switching are significant.

Some analysts estimate the U.S. Internet population at around 200 million. A 1.32 percent change in browsers, then, translates into 2.6 million dropping IE. The slip by IE is also important, said Johnston, simply because it’s so difficult to get people to change browsers. “There’s this huge inertia,” he said, “that keeps them using the same browser.”

Behind the downturn in IE’s share, said Johnston, is the combination of its recent slew of security problems and the appearance of alternatives that are as good, or in some cases better, than Microsoft’s browser. The security problems [of IE] mixed with the launch of excellent alternatives, like Firefox, are what’s finally getting people to switch. They’re thinking, ‘I’m not the only one.’

Like they say, nothing attracts a crowd like a crowd.”

http://www.techweb.com/wire/story/TWB20040712S0003