Nevertheless, the worm grounded at least 40 Delta Air Lines flights and delayed many more. The U.K. Coastguard was figuratively run aground and was completely offline for most of a day.
So, what happened? We had the tools to stop the worm dead in its tracks, but it still exacted a high toll in lost productivity, loss of real business and, in the case of the sailors at sea around the coast of England, created a real risk to life.
The root cause for this dysfunction can't be assigned to the lack of tools. We need to look deeper into the factors that contribute to the operational environment within information technology. This is where we might begin to understand why so many companies were left naked to the Sasser worm.
I think the most useful analogy comes in the form of a classic Greek myth. Sisyphus offends the ancient Greek gods, and he is condemned to forever roll a heavy rock up a hill, watching it roll down again and then rolling the rock back up the hill again.
When Microsoft released Office 2003, IT got to roll the rock up the hill, as it installed the new software. Two weeks later, the rock promptly rolled back down, when Microsoft issued the first "critical" patch for the program. The cycle subsequently got repeated, as each time a patch got applied, Microsoft would issue a whole new set of critical patches.
The root cause for this dysfunction can't be assigned to the lack of tools.
Of course, applying every patch is a chore more honored in the breach than in the observance. According to a recent poll conducted by CNET Networks' Silicon.com, less than a quarter of those surveyed claimed that they applied every published patch. The vast majority said they needed to balance patch management with more important IT issues, and this is completely understandable--until something goes wrong.
The most simple-minded hacker doesn't even have to search for new ways to exploit a system. Instead, he watches for security patches, reads the documentation that explains why the patch is necessary and builds exploits for these holes, knowing that the odds are good that they'll be able to find--and compromise--unpatched systems.
The burden of patch management falls heaviest on the shoulders of IT staff at midsize companies. Large enterprises can reasonably scale resources to meet this chore.
Small companies simply don't have the resources to apply to patching, until the rock rolls back over them, and they're faced with a security breach or applications that just don't work. Midsize companies--and even some Fortune 500 companies--are trapped. They know the best practices. They know that they don't have the resources to implement a best practice. And, therefore, they know the deep, existential angst born from the futility of their situation.
Like the story of Sisyphus and his rock, there are far too many IT professionals devoting themselves to constantly patching systems.
• Acquire software that needs less patching. It is very common to find companies avoiding the purchase of a ".0" release of software because of the inevitable patches, bug fixes and other loose ends that were left untied. Conservative software adoption is a good plan, but it merely delays the chore of patching.
• Become more efficient or get more resources to implement a rigorous patch management routine. But there's a cost in staff time and money. The IT team will need to constantly scour the market for new products, evaluate likely candidates, integrate the new tools into IT process management and train the staff. Besides assuming that there will be resources for the job, this approach takes as a matter of faith that people will make best use of what's available.
• Rather than shoulder the entire investment, a third approach is to share the cost of "best practice" patch management with outsourced IT management companies. Fixed costs such as the purchase of the software and staff can be amortized over a much larger population and substantially drive down the cost per seat. A company's IT staff can then remain focused on strategic IT issues and outsource the common, generic management chores.
An outsourced IT management company can be expected to have a completely different perspective on patch management than a corporate IT staff. For us, the failure to use the best possible tool is an opportunity cost; the failure to document the successful installation of every patch on every machine is a business risk, and the failure to staff this function with the best possible IT talent is just plain foolish. It's a matter of perspective.
Biography
Kevin Francis is president and CEO of CenterBeam, an IT outsourcing company in San Jose, Calif. Before joining CenterBeam, he was president and CEO of Accelio and Xerox Canada.
See more CNET content tagged:
Sasser worm,
rock,
chore,
hill,
patch management
you remain firmly entrenched in the infinite loop of blind
ignorance. Some day one would expect you to connect your
perpetual headaches with continuing to hammer your head
against the same brick wall, over and over, could that day be
today?
Using Mac OS X you will have none of these issues and can
simply spend all your time and money actually getting work
done. IT will cost a fraction of what it does now and capital costs
will drop like a rock over time. Of course productivity will
skyrocket and profits escalate out of control but even the
perpetually ignorant should be able to deal with that. On top of
these onerous challenges you will have excellent software that
works and peripherals that actually plug and play, networks that
well like all things Mac, just work.
Of course you could continue to do what you have always done
and blindly use Windows, the most insecure platform on earth,
by a factor of several magnitudes I might add. Blind ignorance
has always controlled the herd and Microsoft FUD keeps the
timid little morons trapped in their ignorance as always.
Is the pain and control of mediocre crap like, anything Microsoft,
enough to stop beating your head against the wall yet? When will
the pain be enough do you think?
Its crazy if it is quote "grounded at least 40 Delta Air Lines flights and delayed many more. The U.K. Coastguard was figuratively run aground and was completely offline for most of a day."
I mean how does this even happen to these people?... incompetent employees sounds more like the issue here.
The reason Outsourcing is so popular is not because it is cheaper. It's never cheaper to hire someone else's employees at a markup. And the argument that an Outsourcer has some kind of 'special sauce' is bogus when dealing with commodity technology.
When an Outsourcer can be valuable is when you want to stage a 'coup' and shake up IT.
A small company doesn't need an Outsourcer, they just need a decent local consultant. The marketing aspects of Outsourcing do not 'add value' for small business. Marketing just drives up the price.
Its annoying to have someone sell his wares like this. How much did the guy pay for this advertisement?
Microsoft sold me a product that literally put me and my ability to provide for my family at a very great risk. Raising a family is tough enough. But to have some billion dollar company sell me a product which they lied about what was being sold and then it cause me to redirect resources from what sustains my family and me, is nothing less than criminal. PERIOD!
Patching systems takes time, as well it should. Moreover, patching is inherently re-active; one cannot patch before the patch is released.
Firewalls and access-lists, on the other hand, are inherently proactive. I do not need to know about a vulnerability within LSASS to know that unrestricted access to UDP port 445 is a bad idea. I do not need to know about malicious URLs to know that links referencing "cmd.exe" should be kept away from the user.
The lesson of Sasser is not about patch management. The lesson of Sasser is that there is no substitute for strong firewalls.
Cordially,
Peter Nayland Kust,
TEKMedia Communications
http://www.tekmedia.com
pkust@tekmedia.com