Monthly newsletter Weekly news roundup Breaking news notification      

Vulnerability management is a business continuity issue

Get free weekly news by e-mailCEOs and CFOs know that viruses can damage their business and cost millions. But many do not realise that an anti-virus programme cannot help when it comes to the increasingly frequent flaws that are being exposed in corporate software. The biggest threat to security are these flaws, or ‘vulnerabilities’, which demand instant attention and patching-up. IT teams are spending more than $2 billion a year desperately trying to patch up these network security flaws to protect them from hackers and viruses, according to the Aberdeen Group analysts. But still the process of security patch management is not being understood at the level that matters – the boardroom. Paul Butler, principal consultant at Altiris, argues that it’s time for the board to realise that security patching is a major part of business continuity and security:

As we become even more reliant on IT, it is all the more necessary to have procedures in place to minimise system downtime and ensure the security and availability of information across the organisation. But the increasing complexity of IT systems also brings an increased number of potential flaws in the software, with over 4,000 vulnerabilities reported in 2002 (source: Software Engineering Institute advisory team). With more flaws being discovered every day, IT networks are vulnerable and open to catastrophic attack. The famous “SQL Slammer” worm of 2002, for example, was estimated to have cost companies up to $1.2 billion even though a security patch was readily available (source: CNET News). So why did it do so much damage? Because the approach to patch distribution was reactive not proactive and IT teams just couldn’t cope with the huge, instant demands made of them to protect systems against the virus.

Virus protection alone is not enough, even if it is automatically updated. The SQL Slammer worm for example could only be patched by running a Microsoft supplied update. When a software vendor releases a software product, it may have flaws which can be exploited by hackers and malicious worms which can bring the entire IT network down. When a flaw is discovered, the vendor will usually release a patch which mends the gap in the programme, stopping any worm or hacker attacks on that part of the system. It is up to the IT team at the end-user’s organisation to implement and manage those patches, so that their software’s flaws are patched up.

The increased importance of patching to the day-to-day running of a business has left many IT teams fighting a losing battle and significant damage is being done to businesses in terms of loss of revenue and data, loss of customer satisfaction, trust and loyalty and ultimately damage to corporate reputations. Surveys in late 2003 consistently show that security patching is one of IT managers’ top worries for 2004.

Patch management is becoming a full time job but it doesn’t need to be. By using software that centralises and automates the task of patch distribution, organisations will be able to effectively manage the distribution and make it part of the day-to-day business continuity strategy, rather than a panicked, reactive scramble against the latest virus.

The only way for security patching to be successful and for companies to prepare themselves for the next new worm of virus incarnation is to see it as part of the business continuity strategy. Top-level management must realise the potential threat to business and make funds available to the IT team. Funding must be backed up by processes to manage the distribution of patches - before it’s too late.

www.altiris.com

Date: 3rd March 2004 •Region: Worldwide •Type: Article •Topic: ISM
Rate this article or make a comment - click here


Copyright 2004 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help