02:55 PM
Connect Directly

Blame Game: Patch Complacency Behind Zotob Success

After a tough week for system administrators, now they're getting blamed for lackluster patch management and contributing to the success of this week's bot worms attacks on Windows 2000 machines.

Complacent network administrators are partly to blame for the success of this week's bot worms attacks on Windows 2000 machines, a Gartner analyst said Friday.

"I'd have to blame the software developer first of all," said John Pescatore, a Gartner research director. "What's the point of pointing blame at hackers, who are, after all, criminals? There will always be criminals. None of these attacks would have been successful if the vulnerabilities had been caught during development."

But next on Pescatore's list is a complacent "it won't happen" attitude among system administrators, a slow patch process, and a resulting window of opportunity for hackers.

"Since we haven't had a major worm since last year's Sasser, enterprises have slacked off," Pescatore argued. "'Nothing bad this month, nothing here,' they've been saying as Microsoft rolled out monthly patches.

"It's like someone saying, 'it's not rained in two months, so I'll hold off fixing the roof.'"

Such complacency has struck before. In 2002, the year after the destructive Nimda and Code Red worms, there wasn't a single major outbreak. "People started to relax then, too, and when 2003 hit with Slammer, they weren't ready," said Pescatore. During the last round of big-time attacks -- the 18 months running from early 2003 with SQL Slammer to late spring 2004's Sasser -- companies pulled out the stops to secure their networks, said Pescatore. "They authorized overtime to push patches out as quickly as possible, got critical patches down to just two business days, and all patches down to five days."

But then patching got lax again.

"You can't relax," said Pescatore. "You have to pay attention to vulnerability management, and patch as quickly as you can."

Joe Wilcox, an analyst with JupiterResearch, wasn't as quick to blame administrators. "Deployment of patches can take time, but unfortunately, that time may not be available," he said. "Businesses aren't consumers, who can just automatically have Windows install patches. Businesses have to take time testing the patch for compatibility. Patching is a big chore. What's needed are better [patch management] tools.

"I'd blame the criminals, the hackers, definitely," said Wilcox.

Microsoft, he added, is in a damned-if-they-do, damned-if-they-don’t position.

"A lot of viruses appear after Microsoft releases information," he said. "That alerts hackers to an opportunity. But to keep the vulnerability secret, that's not in the best interests of customers, either. Microsoft's doing the right thing by releasing the information, but only when a patch is available."

On Thursday, U.K.-based security firm Sophos released the results of a poll in which 35 percent of the 1,000 respondents blamed Microsoft for the Zotob troubles, 45 percent pointed fingers at the hackers, but only 20 percent said that the successful attacks were due to slow patching by administrators.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - July 21, 2014
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation.
Flash Poll
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In this special, sponsored radio episode we’ll look at some terms around converged infrastructures and talk about how they’ve been applied in the past. Then we’ll turn to the present to see what’s changing.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.