Patching up problems

(continued from previous page)

recognizes specific threats, in favor of behavioral-based techniques, where certain activities are recognized as more threatening.

Increasingly, virus writers make small changes in their code, such as the subject header in an e-mail or the extension of the file, to confuse signature-based security. That means a more useful way to tune system defenses is to focus on the general behavior of a program to determine if it is a virus, Gartner analyst Mark Nicolett said.

In addition, system administrators are looking more intently at network access control to stop employees who are working remotely from spreading viruses, he said. This could also prevent attackers who hitchhike on those workers' systems from getting easy access to the corporate network.

"Companies want to get control of what is allowed on the network before they get full connectivity," Nicolett said. Many businesses increasingly have deals with suppliers and partners that give other companies access to some parts of their corporate network.

For example, Qualcomm is considering adding security to every device on a network as a way to stave off such threats, Threlkeld said.

"There is a higher percentage of mobile workers and contractors and sharing of data outside companies these days," he said. "So the next push in the future may be to get rid of corporate firewalls and replace them with a virtual firewall around each employee's system.

A personal firewall on each individual target system, such as a workstation or server, could give managers finer control over the security settings of each device, administrators said. However, the effort would require greater labor to install, or better automation.

New technologies
Threlkeld noted that he is looking forward to Microsoft's Network Access Protection, which is designed to help companies fend off viruses and worms by checking devices before they dock onto the network. NAP, which will be part of Microsoft's Longhorn update to its server software, is not expected to be released until 2007.

Security sellers are also looking for ways to help administrators get enough time to test patches before they're installed. In February, for example, LANDesk Software launched a patch management product as part of its LANDesk Security Suite. The product is designed to enable system managers to queue up a patch across their network, so that once testing of a patch is completed, it can be deployed in minutes.

"Sales took off real fast and now comprise 12 percent of our revenues," said Dave Taylor, vice president of worldwide marketing for LANDesk, a Utah-based server management company that last year expanded into the security tools market.

Other technologies are on the horizon, Eschelbeck predicted. "In the next three or four years, we'll see a kind of virtual patching," he said. "These technologies will be able to protect a system automatically, based on some basic attributes of the vulnerability."

Not all technologies are looking to downgrade the importance of patching, however. Automating the patching process is another approach that is gaining popularity, said David Rice, a senior partner at Monterey, Calif.-based consultancy TantricSecurity.

Rice said the best solution for resolving security vulnerabilities lies with software makers, which should fix code before it's put on sale. Patching a bug after an application is released increases costs to the developer more than a hundredfold, Rice said.

"If you catch a bug when the software is in development, it's a $1 fix," he said. "But catch it afterwards, it's more like $100 to fix. It just makes sense in terms of cost to release secure code."

[ordaj]

I believe the real answer lies in...

...hardware security at the edge:

<a class="jive-link-external" href="http://www.wave.com" target="_newWindow">http://www.wave.com</a>

[catchall]

I agree but..

Right up until some nit-wit (your favorite manager here) takes their laptop on the road, using it from every open WI-FI they can find, letting their kids play games on it, you name it, then bringing it back inside the network.
Hardware at the edge is VERY important, but there is no one magic solution.

[rpms]

Just waiting for someone to say that Mac OS X is the answer

I'm surprised no one has yet suggested that Macintosh OS X is the solution. Everyone knows that Apple customers never have to download software patches, right?

(In case it isn't obvious, this comment is meant to be sarcastic.)