In the past month or so, some 9 million PCs have become infected by a worm which would not exist at all if users had applied a Windows security patch way back in October 2008. Davey Winder considers the impact of poor patching on public sector security.
IT managers get quite excited every fortnight, on what has come to be called “Patch Tuesday”. It’s the time when Microsoft releases its scheduled security patch updates, and it has become a famous and permanent fixture on the IT calendar.
It isn't just Microsoft operating systems and applications that need to be maintained in order to combat emerging threats. Whichever OS you use, whatever applications are installed, you need to ensure they are always kept up to date with the very latest security fixes. If everyone did that, and kept their antivirus applications bang up to date as well, then we would not have problems like the ‘Conficker’ worm running riot right now. (Yes, its name does mean something less than savoury in German. Unpleasant virus names come with the territory, I’m afraid).
So, Conficker. Or Kido, or Downadup as it’s also known. Call it what you like, it’s widespread right now. As I write this, Conficker has managed to infect in excess of 9 million users in little over a couple of weeks. It adopts the guise of the Windows services.exe executable in order to then bury itself deep in the OS after which the Registry gets modified and it gives itself permission to run as a service proper.
Then the fun starts with the installation of an HTTP server on your system in order to start loading more malware and readying itself for whatever payload it has coming at some point in the future. By resetting the Windows System Restore point, it even makes sure it can come back from the dead. The people behind it will almost certainly unleash a mega-botnet when enough users are infected, although you might think close on 10 million was enough for anyone.
And what allows Conficker to survive? Poor patch management, that's what. If people had installed MS08-067, a patch from way back in October 2008, it would simply not be a problem. But millions, as evidenced by the numbers getting infected, have not done so.
Others, while usually on the ball regarding patches, took their eye off it at just the wrong moment. According to reports, teaching hospitals across Sheffield were infected by Conficker because 8000 PCs had their Windows security updates switched off, meaning they got no more security patches. While the clean-up process went on, several non-urgent appointments had to be cancelled. Apparently the updates were temporarily disabled after some PCs rebooted mid-surgery just before Christmas.
Although I am sure the IT department acted with the best interests of patients in mind, disabling updates across an entire network to 'avoid further disruption' is a typical case of using a sledgehammer on a nut. Surely isolating the impacted portion of the network would have made more sense? Whatever, it certainly helps highlight the importance of patch management.
Patch management is a vital, critical part of your security strategy. The patch management process should be seen as the channel through which your security updates are deployed, and as such treated strictly as a security priority rather than a systems maintenance issue. The bottom line, as can clearly be seen with the Conficker problem, is that unless you have both a mechanism to install security updates in a timely fashion and a will to ensure that such patch distribution is a high priority, then the virus writers will take advantage of your apathy and that will impact upon your users.