Magazine article Security Management

One Brick in the Security Wall: One of the Most Important Elements of Information Security-The Regular Patching of Software Vulnerabilities-Is Often a Loose Brick in the Security Wall. (Tech Talk)

Magazine article Security Management

One Brick in the Security Wall: One of the Most Important Elements of Information Security-The Regular Patching of Software Vulnerabilities-Is Often a Loose Brick in the Security Wall. (Tech Talk)

Article excerpt

Building an effective level of information security can be likened to building a brick wall. There are many bricks in the information-security wall, from safe computing practices to intrusion-detection systems. However, one of the most important elements of information security--the regular patching of software vulnerabilities--often seems to be a loose brick.

Information security experts have long argued that patching all the software holes in a network that might employ several operating systems and dozens of computers is an overwhelming job. But this difficult task might become easier if it could be automated, experts say.

Automated patching, in which patches are "pushed out" by a software vendor to customers as they become available, is not altogether a new idea, says Alfred Huger, vice president of engineering at Security Focus, an information-security intelligence company. "Some Unix operating systems like Red Hat have the ability to [push out patches], but the biggest player that should have been doing it, according to some, was Microsoft, and they just recently started," he says.

Huger is referring to Microsoft's Strategic Technology Protection Program (STPP), a system designed to simplify the process of securing Windows networks. One element of STPP is sending out cumulative bimonthly security patches for Windows 2000. Additional tools for patching Windows 2000 servers, and deploying security patches networkwide, are also available.

Microsoft will also soon release a service pack focused on security. With this pack, which works together with an auto-update client, critical security patches can be installed directly onto participating machines without any action by users.

"I think [STPP] is a step in the right direction," Huger says, "but it has its own attendant problems. For one, it's not unheard of for a vendor to put out a security patch that has adverse effects on the systems it's being installed on."

For that reason, it's unlikely that most companies will allow patches to be automatically installed across their networks, agrees Ben Rothke, until recently a senior security analyst with security software developer Camelot. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.