In response to Microsoft’s latest vulnerability announcement, a group of security analysts at Gartner has released a research note that advises enterprises against using Windows Server 2003 in mission-critical applications exposed to the Internet before the second quarter of 2004.
“We may have to revise this cautious position if Microsoft fails to commit publicly to extraordinary efforts to eliminate glaring holes in its operating system,” the research note said.
The note also recommends that enterprises install the latest Microsoft patch on all PCs and servers, block vulnerable ports as they are identified, correctly configure enterprise firewalls, and install personal firewalls on all PCs and intrusion prevention software on all business-critical Windows servers. The goal: “to avoid the mass attacks that will almost inevitably attempt to exploit this vulnerability within the next few weeks.”
Richard Stiennon, vice president of research for Internet security at Gartner and one of the authors of the research note, said that when he and fellow Gartner analysts tell clients to patch and block, as they have for past Microsoft vulnerabilities, those clients are becoming increasingly upset about receiving such recommendations.
“It is advice that is so obvious yet so difficult to do. And it often has to be done at horrendous cost,” Stiennon told the E-Commerce Times.
“One major financial institution had to go to its board of directors to approve an additional $10 million to finish this patch,” he added. “After MS Blast and the cost of patching that, it’s, ‘Here we go again,’ as new vulnerabilities are found deeply ingrained in Microsoft systems.”
Stiennon also mentioned the plight of another financial institution that was forced to take down its IT system for three weeks to patch its Windows desktop machines.
Not Just for Servers Anymore
Stiennon said that in the past, enterprises deployed firewalls mostly for servers and mobile computers, believing that desktop PCs were protected by the servers to which they were connected. Now, enterprises are deploying firewalls for desktop machines as well.
Noting that personal firewalls did a good job of thwarting worms like MS Blast, Stiennon said Gartner is recommending firewalls for all computers, including desktops.
“It is another expense, though enterprises understand that the cost is lower than repairing computers after an attack,” he said.
Additionally, Gartner’s research note stated, “Enterprises should continue to heavily weigh the cost of continually patching Microsoft products when deciding which operating system to purchase.”
Indeed, Stiennon said the latest vulnerability, along with news that a portion of Microsoft’s source code was leaked onto the Internet, has sparked debate about whether enterprises should have a diverse computing environment or rely on a monolithic solution.
“My prediction is that enterprises will think twice before installing Windows ATMs, Windows telephone systems, Windows security [systems],” he said. “Given these vulnerabilities, businesses [adding Windows machines will] have to deal with one more machine to track down and patch every month.”
The Facts of Life
However, Jim Hurley, vice president for security and privacy at Aberdeen Group, told the E-Commerce Times that the difficulty of updating Windows systems to guard against vulnerabilities depends on the degree to which an organization has automated its update process.
Hurley said the predilection for enterprises using Windows is to have a central staging system that pushes out SMS technology to its client computers. According to him, the most common method of achieving this is twofold. For employees who turn on their PCs each morning, a macro is built into the boot sequence that patches Windows automatically. Those who leave their computers running are notified that a patch is available. Once activated, the patching process then takes about two or three seconds to complete.
Hurley intimated that concerns about Windows might be overstated. “Patches and vulnerabilities are a fact of life,” he said.
Seeking a Model
Indeed, Guardent CTO Jerry Brady pointed out that the computer industry, for all intents and purposes, is still maturing and has taken a while to grasp risk models.
“No one has figured out yet what the dominant model will be for managing software vulnerabilities,” Brady told the E-Commerce Times. “Something has got to break soon, because [the present commercial software models] do not fit the risk preferences that companies prefer.”
Until recently, he said, the commercial vendor model had an advantage because its source code was not accessible to hackers. Usually, vendors like Microsoft had a grace period of knowing a vulnerability existed before it could be exploited.
Now, as software becomes larger and more complex, vendors like Microsoft will have to find a different method of conducting defect management, most likely some combination of longer release cycles and more expensive software.
“No one has figured out a [product] life cycle that has made sense,” Brady said.
Meanwhile, the recent news about Windows source-code leaks demonstrates the worst elements of closed-source software, Brady said. Because using Microsoft’s proprietary code would violate the law under the Digital Millennium Copyright Act (DMCA), “the bad guys get to find out about it before the good guys.”
In contrast to Windows, Stiennon said, Linux enables computers to communicate using standard protocols that are tested in an open forum.
“The irony here is that, if Microsoft announces more vulnerabilities more quickly, they are leaking out the notion that open source is actually a better process” in defending against vulnerabilities, Stiennon said.