Defuse Those Ticking Time Bombs

When malignant worms start slithering across the Internet, even a few unprotected computers can bring down a network. Security patch management tools can find and fix software holes automatically—so your company doesn’t end up in the headlines for the wrong reasons.

On Aug. 16, a worm dubbed Zotob hit Windows 2000 computers at ABC, Caterpillar, CNN, United Parcel Service and hundreds of other organizations. The code, which the FBI said later was written by an 18-year-old Moroccan hacker, spread itself by probing a company’s network for vulnerable systems and caused systems it infected to reboot, crash or slow to a crawl.

A week earlier, Microsoft had publicly identified the vulnerability exploited by Zotob and released a security patch to protect against it, but the worm nailed Windows machines that hadn’t been updated.

In Orlando, Fla., Steven O’Sullivan, director of infrastructure at construction products distributor Hughes Supply, read the first reports of the Zotob outbreak and clicked over to his LANDesk management software screen.

His team had already retrieved the fix published by Microsoft and pushed it to the company’s 8,200 desktops in 500 offices using LANDesk’s patch-management features, but they hadn’t installed it yet; they first wanted time to test the patch to make sure it didn’t cause conflicts with other applications.

Test over. With Zotob potentially zooming his way, O’Sullivan flipped the switch and within minutes applied the patch to all machines at risk. “When there’s an exploit out there,” he says, “we slam the patch to everybody.”

The importance of routinely applying security patches doesn’t need to be explained to Cedric Bennett, former chief of information security at Stanford University. In mid-2003, the Blaster worm ripped through the school’s network and infected 8,000 of 25,000 Windows desktops. Restoring each affected PC’s original configuration took about four hours, so it theoretically took more than 30,000 hours of labor to mop up the mess.

That’s not even factoring in lost productivity of professors and others whose machines were immobilized. “There was a consensus among faculty members who told the CIO, ‘Don’t let this happen again,'” Bennett says. His team soon afterward adopted BigFix’s patch management system.

The number of vulnerabilities that surface in software has kept climbing. The sheer volume of holes—the Achilles’ heels of modern information systems—has made the process of manually updating operating systems and business applications ridiculously cumbersome.

Do the math. Bob Gentry, director of corporate infrastructure at Darden Restaurants, says patching Windows-based payment systems at 1,400 restaurant locations requires applying as many as 128,000 separate patches per month, based on Microsoft’s current run rate for security updates.

“We knew we had to streamline our process of managing vulnerabilities,” Gentry says. In 2004, the restaurant chain, which runs Olive Garden, Red Lobster and other eateries, rolled out software from BigFix to automate patch deployment.

Gentry won’t say how many staffers Darden used to devote to patching, but now one full-time employee spends just 20% of his time managing about 8,000 machines. Plus, the time to deploy patches was cut from “months to days, or even hours when necessary,” Gentry says.

Next page: Can Microsoft Do it For You?