By Will Sturgeon, 3 October 2005 15:50
NEWS Companies are putting too much faith in patching software and investing too little time in proper risk assessment, according to a pioneer of antivirus software.
Dr Peter Tippett told silicon.com the current approach to security has become outdated, counterproductive and too costly. He also controversially suggested companies only patch their computers once per year.
Tippett's early work in the field of antivirus proved the genesis for the Norton AntiVirus product line but now he says modern antivirus companies and the reactive approach of businesses must change, citing massive cost savings and protection against "real threats" as the major benefits.
Tippett's words echo the growing voice of support for a move towards a risk-based approach to security.
As such Tippett, CTO of security giant CyberTrust, now dedicates much of his time to monitoring "the underground" and working out the likelihood of malicious code being written to exploit emerging and existing technologies and "knowing exactly what the real problems are".
Tippett likened the necessary intelligence-gathering and risk assessment to the very British obsession with checking the weather forecast.
"Predicting the weather is not a perfect science but it can help a lot," said Tippett, who advises companies to spend more time assessing risk and the probability of attack rather than waiting for the window of vulnerability to open and then rushing to batten down the hatches.
"Companies who decide that patching is going to be their primary method of defence are always going to be worse off than average and are going to spend more and more money on security each year. If you can patch 100 per cent you will be protected against a lot of threats but nobody does or can patch 100 per cent," said Tippett. "The average is around 70 per cent."
"Patching works well if you have one computer. It even works well if you have three computers but if you have 10,000 then forget about it.
"There are all kinds of computers which are not known about by the management. There are mobile workers and protected computers which are never touched except during a service window."
"It would therefore be a mistake to put any faith in patching," said Tippett. "I'd say patch your computers once per year. Plan it three or six months in advance and you'll at least be able to get hold of all laptops and computers."
"Get it done properly and get all your computers to a situation where software is within a year old."
Companies who have already distanced themselves from the reactive, fire-fighting approach to security are claiming significant savings - such as a halving of the IT budget at insurance giant Zurich, as covered recently by silicon.com.
According to Tippett: "These companies spend less money on scanning and less money on paying people to run around patching like crazy."
Tippett agreed with the recent assertion of Gartner analyst and advocate of a risk-based perspective, Jay Heiser, who said such an approach will come from the business and not from the techies.
"Technical people see things in a binary way. They adopt a 'world is flat' approach. The higher up the organisation you go, the more this starts making sense."
Comments
There are 7 comments. Join the discussion
1. Steve Berry
There's obviously an economies of scale issue here. Generally the more boxes, the more effort, there I agree with the article contributor.
However, there are tech scenarios where this just isn't feasible - particularly with public facing / DMZ based scenarios, for example.
Just about anything that is public facing in the current climate really does need to be patched.
Can you imagine the potential for chaos, particularly with MS based systems if those systems go unpatched ??
The top-down view espoused in this article is fine in theory if all companies lived in islands/enclosed intranets, but that just simply isn't/won't be the case for most.
2. Andrew Snell
This is a very surprising viewpoint when you consider the disruption caused by viruses such as Sasser. At the time Microsoft stated that those companies that regularly and automatically applied security patches were often unaffected. With so many viruses/exploits being written every month, carrying out this excercise as little as once per month is a huge risk.
3. James Templeton
This is very true. 'Risk' includes everything, though for example take the problem of staff opening attachments they shouldn't. While a patch might protect the company the likelihood is it won't patch every PC. Therefore a more effective way to avoid problems is to put in place measures, both educational and functional to stop that attachment being opened. You can't patch effectively, so manage effectively instead - and this isn't a technical issue all of the time.
4. anonymous too
This idea that you can mitigate risk as a paper exercise just ignores the potential problem. Although the idea may seem sound, this idea of “just analysing the risk” makes the same mistake “just patching the system”.
The sensible approach is to include the senior techs in the business design\ analysis, you’d be surprised how much they can contribute. I’ve never met a Tech who didn’t know a better\ cheaper\ safer way of achieving at least one of the business processes.
Once again the strawman approach – deriding the skills of the Techs – to an argument does no one any good. Dr Tippett, you do yourself no favours by trying to make yourself look good at the expense of others.
This tirade of abuse will continue to push the Techs away from the line of business, when business should be embracing IT from day 1. Thanks for perpetuating the them and us scenario.
PS Oh, and the fallacy of your strawman approach? You assume that Techs get some kind kick out of patching.... they don’t! They hate it, they would rather see a better solution in place- go ask one, you might learn something.
5. J Walker
During the process of risk assessment wouldn't it be even be slightly prudent to reduce risk where feasible by choosing an alternative, less risky path?
We don't seem to be able to apply this logic to systems and spread risk by introducing a degree of heterogeneity.
Is this considered infeasible? Surely, until we feel free enough to take such measures, 'plan, don't patch' is equal to 'make your bed and lie in it'.
6. anonymous
if you "embrace risk, not patches" as suggested then you will soon be cleaning windows for a living.!!
Hw many sec managers got screwed over Zobot because they thought the risk was low.. not me.!!!
7. anonymous
if you "embrace risk, not patches" as suggested then you will soon be cleaning windows for a living.!!
Hw many sec managers got screwed over Zobot because they thought the risk was low.. not me.!!!