Security fixes overwhelming IT managers

The number of required security patches and updates to security products during the past 12 months has so overwhelmed IT managers at most companies that the process now places network security at greater risk, a new study concludes.

The study, conducted by U.K.-based managed security service provider Activis, a subsidiary of Germany-based Articon-Integralis AG, found that security managers at a company with an IT infrastructure consisting of only eight firewalls and nine servers would have had to make 1,315 updates to those systems in the past nine months alone, equal to five updates per working day. That number is based on the total number of updates and patches released during that time frame by some of the major software and security vendors.

In addition, IT managers at companies of this size would have to manage more than 500,000 log file entries every day. Each firewall generates an average of 200,000 to 300,000 log entries and 20 alerts per day, according to the Activis study. Likewise, each network sensor will generate between 20 and 50 console alerts per day, and each server sensor will generate between one and 20 console alerts per day, the study found.

John Cheney, managing director of Activis, said the study looked at a typical configuration used by most companies, including Microsoft Corp.’s NT Servers, SQL Server and Exchange; Checkpoint Software Technologies Ltd.’s firewall products; Sophos Inc.’s antivirus applications; and Internet Security Systems Inc.’s RealSecure network and server scanners.

Although most software vendors advise companies to install every patch that is issued, Cheney said, “with many organizations using hundreds of servers, it is unrealistic to expect them to update every server with every new patch.” If installing patches and updating systems for security vulnerabilities overwhelms IT managers, Cheney recommends that they start with public-facing systems such as Internet sites and Web portals.

And while companies like Microsoft have attacked the problem of patch management with several recent automated tools, Cheney said automated installation and downtime related to rebooting servers after patches are installed are major challenges the security industry must still address.

An IT manager at a large commercial banks in the Northeast, who spoke on condition of anonymity, said there are often more changes and details to track than there are people to do the work. As a result, a security “exposure or misconfiguration is always possible,” the manager said.

In most cases, however, these exposures and misconfigurations are obscure flaws in the logic that don’t enable hackers to gain entry, but instead lock legitimate users out of the network, the bank IT manager said.

In a recent interview, David John, first vice president and CIO of Bayerische Landesbank Girozentrale, a Munich-based bank with offices in the U.S., acknowledged the importance of having enough human resources to get the job done properly.

“Although IT security and infrastructure are necessary, they often neglect the obvious fact that no matter how sound your design, without administrators, operators and required support personnel, what good is it?” said John.

Landesbank is currently researching metadirectories to simplify administration and free up resources to concentrate on security, he said.

John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., said the recent economic downturn, combined with the heightened sense of security awareness, has forced many of his corporate clients to increase their focus on intrusion detection and managed vulnerability scanning.