Patch Management in an Age of "Zero-Day" Threats

By Lauren Barack

While no enterprise can afford to be lackadaisical about hacking, CIOs once enjoyed a little breathing room between the discovery of a software vulnerability and the arrival of a patch to fix it. No longer. Today, hackers learn about a software breach at the same time that companies do, and launch attacks just a few days later. This narrowing "window" has led security experts to warn that "zero-day" threats - which target a vulnerability before it is announced and a patch made available -- are imminent.

"You're getting attacks before vulnerabilities are even found," said Anne Stanton, president and founder of IT consultancy firm The Norwich Group and co-author of "The Complete Patch Management Book." "That's really the battle in the security arena for the CIO."

Typically, patch management has worked as follows: a vendor such as Microsoft discovers a vulnerability -- or is alerted to one by an outside organization -- and responds by notifying users about the problem. As a result, hackers are also alerted. And so a race begins: vendors hurry to create the fix, while intruders rush to find open doors. Sometimes, hackers don't even need to rush. It took Microsoft six months to create a patch to fix a hole in Windows that was exploited by the Sasser worm in May. That hack infected hundreds of thousands of computers.

Clearly, a new patch release process is needed. For its part, Microsoft now offers all of its customers -- instead of a select few, as in the past -- a preview of security updates and patches three business days before they're made available. While this doesn't prevent hackers from learning about the vulnerability, it does give enterprises a chance to ready themselves for the actual installation, and better secure their networks because they know where the vulnerability lies.

Still, even with Microsoft's recent moves, the threat of hacking continues to grow rapidly, with the number of hackers up ten-fold in just the last eight months, according to Stanton. Moreover, patches are only part of the solution. CIOs must devise their own multi-layered strategies for securing their firm's infrastructure. A network must be able to block a hacker who can identify a vulnerability before a patch is available: 

Establish multi-layered protection "You've got to install extra layers so that the network is always protected," said the Norwich Group's Stanton. Establishing multi-layered protection means an enterprise creates several levels of security. If one fails, others step in so that, for example, instead of using one anti-virus program, a network may choose to run two.

Control network access Visitors who ask to plug their laptops into your network for a demonstration can unknowingly download a virus or worm. Laptops tend to be the least patched of any type of computer; they are often used sporadically and are rarely returned to the IT department for security updates. Enterprises should sharply limit -- and in certain cases prohibit -- outsiders from accessing the network using unfamiliar mobile devices.

Lock down desktops  Enterprises need to ensure that end users cannot change their desktop configuration or download flawed software that can compromise a network. While a written policy is important, firms must enforce it with technology. "You have to enable the IT staff to take back those desktops," said Susan Bradley, a computer forensic specialist and Stanton's co-author. "End users should not be allowed to run their desktops in 'local administrator' mode."

Follow best practices CIOs must create a patch management plan, making sure all machines are patched and current. In many cases, enterprises include an IT security patch strategy in their disaster recovery plans. Following good patch management can often forestall, and even prevent, an IT disaster from occurring.

Install network triage While controlling network access can help prevent rogue viruses from being installed on a network, employees are only human. And it only takes one to infect the network. Enterprises are starting to experiment with ways to protect themselves against the human element -- for example, by automatically removing a user from the network if that person's computer is not recognized, or if the network identifies an unauthorized program. "Basically, the network checks to see if the machine has proper patches, and if not, installs them or tells the machine to get them before it will assign it an IP address and allow it access to its network," said Bradley.

Hacking will continue to be one of the top security concerns for enterprises. And while  patch management practices will get smarter, so too will online attackers. That's why it is essential for companies to take a multi-layered approach when creating their defense strategies and to stay flexible. "What people forget is that things change every day," said Stanton. "You can't protect yourself against everything. It's all about risk control and reducing risk."

Lauren Barack's work has appeared in Business 2.0 and Wired.