One of the greatest dangers to a computer network is the presence of desktop PCs and servers that have not been patched for the latest vulnerabilities and can be exploited by malicious attacks such as worms. Blame goes to software developers for creating insecure programs as well as to network administrators who don't get patches installed before an attack happens.
Major Sherwin, computer operations manager at Landis + Gyr, Inc., the largest supplier of electric meters in the United States, was less interested in who to pin the blame on than he was in making sure that patches went out quickly to the three-dozen Windows servers and 250 desktops on his network. Sherwin says that back in the days when viruses and worms were slower moving, he let users patch their own computers or he did it himself if he happened to be working on a different and unpatched desktop. But after a few machines got hit by a virus, and as malicious code began to spread ever faster, Sherwin realized he needed a centrally managed tool to handle patching.
His first stop was Microsoft, where he tried a stripped-down version of its Personal Security Advisor (developed by Shavlik Technologies). That took care of some patching but "didn't give us any central management to make sure updates were applied," he says.
Sherwin then tried the full version of Shavlik's HFNetChkPro patch-management system, but he found it too cumbersome. He went back to manually installing patches.
"When we knew a new security patch came out, we just went around" and put it in. But that was only a temporary fix. "We were getting by and not getting hit by any of these vulnerabilities, but it was a lot of work," he says.
Then Sherwin came across SecurityProfiling, Inc., a Lafayette, Indiana, company that created SysUpdate Policy Compliance and Enforcement (PCE). SysUpdate PCE offered more than just a way to get patches installed: It integrated patch management, vulnerability remediation solutions, and policy compliance tools into a single software tool.
SysUpdate, which Sherwin downloaded from the company's Web site onto a single server, uses a client-server model; that is, a small piece of software (the client) is installed on each machine across the network. These clients are polled by, and report back to, a central server that keeps a database of how each computer on the network is configured. The client can be deployed automatically from the main server, but Sherwin says that he preferred to install each one himself, so he could explain to users what was happening.
Monitoring software, which Sherwin has installed on several computers, keeps track of the status of every computer on the network. One-time licenses cost about $50 per node, or machine, on the network, plus an annual 20 percent maintenance fee.
Behind the scenes, the SysUpdate server on Sherwin's network regularly checks in with a core server at SecurityProfiling's headquarters to look for any new patches that are available, and then it cross-checks those patches against the machines running on Sherwin's network, according to Brett Oliphant, SecurityProfiling's chief technology officer. When the server sees that a new patch is available for a machine on the network, SysUpdate can either automatically download and deploy the patch or simply notify Sherwin that a necessary patch is available.
The patches come from a variety of locales, Oliphant says. The company has relationships with some companies that provide SecurityProfiling with notification of a new vulnerability or patch before an announcement is made public. In addition, SecurityProfiling staff keep in close contact with the online community of security researchers who spend their time looking for new holes. This, says Oliphant, helps them collect, analyze, and verify information, and find workarounds if patches are not immediately available.
He also has a testbed that he uses when a patch is needed for a critical server or workstation. If the patch causes a problem, he can find an alternative or use a workaround (these solutions are provided directly from SecurityProfiling). If the patch doesn't cause a problem, he can push it out quickly to the necessary machines.
In the case of a workstation, he says, "You can pick one station at a time, call the person and say 'I'm going to send the patches to you, install all the patches right now.'" To ensure that the user does so immediately, a warning pops up reminding the user, and remains on until the patch is installed. The user may delay installation for an hour, up to three times; then the patch is installed automatically.
But newer versions of SysUpdate PCE allow Sherwin to do more than make sure patches are up to date. He can now apply and customize a security policy from a number of available templates, including those from the National Security Agency, the Center for Internet Security, and ISO 17799. The clients on each machine can then report on their compliance with these policies, which can include policy settings such as minimum password lengths or user rights. If a computer is found to be out of compliance, Sherwin is notified, and he can fix the problem quickly.
Sherwin says that the software's reporting tools have improved since he first starting using the product about two years ago. They now allow him to see in more detail the status of every computer on his network, such as which machines need a particular patch. He also says that he appreciates how responsive the company has been. "Usually if I think of something I want, I send them an e-mail and they try to incorporate it into the next release," he says, adding that they've already incorporated some of his suggestions into new releases.
The software has protected the network against virulent attacks such as MS Blaster. "We did not have one machine affected by Blaster," Sherwin says. "I hear my colleagues around town that work at other sites and the problems they were having; their networks got shut down by Blaster, but we skated through it. I sleep a little better at night."
(For more information: Brett Oliphant, CTO, SecurityProfiling Inc.; phone: 888/645-3676; fax: 765/420-9256; e-mail: firstname.lastname@example.org)
--By Peter Piazza, assistant editor of Security Management