2003 has been the year of the Worm – worms such as Blaster, Slammer, Sobig (various forms) and Code Red, which can all be traced directly to exploitation of unpatched vulnerabilities. And the cost of these worms?.. Blaster worm costs are estimated to be at least $525 million, and Sobig.f damages are estimated to be from $500 million to more than one billion dollars. The new malicious code being released into the wild has focused on exploited known problems in unpatched systems. In fact, when you consider most attacks, they focus on finding and then exploiting vulnerabilities in code – look at all the scanners like NMAP and Nessus – focused on finding what systems are running and exploiting weaknesses. The latest worms merely automate this task, and focus upon a single exploit. We believe that 2004 will see a lot more activity in this space from Hackers. We believe the time taken from a vulnerability being announced, to a worm exploiting it, will reduce significantly. This is placing the Network Manager and his team under increased pressure to ensure ALL systems are patched to the correct level.

This requires a lot of management. The first thing for anyone looking to manage their systems is to baseline what they have on their network. Too often people only focus on their Windows systems. But it is not just Microsoft that suffer from vulnerabilities – think how many patches (including security patches) other vendors like Cisco release over the course of the year, and Apache is still the most popular web server on the Internet (nearly 70% according to Netcraft’s December 2003 Survey). This baseline needs to include all pertinent information – what hardware and what software is loaded. It is important to know that you will not try and patch a Windows NT system with a Windows 2003 patch. You need to establish a minimum patch level for all the systems on your network. This minimum will be based upon the O/S being run – and software running on top of it. Not all patches released by a vendor will be relevant to everyone. Therefore the baseline will be different for different people.


Before rushing out and patching every system, when a new patch is released, a Network Manager must understand the patch and what it is doing (it may not be relevant to you). It also needs to be tested on a test network running the business applications prior to be rolled out. The roll out of a patch could compromise your business if it breaks the business software and stops everyone from working. It would not be the first time…

All patch management needs a full audit trail, which must include whether an installation has been successful. How many times have people been caught out when they thought they had updated software only to find the install did not complete.