Gartner: Worms Jack Up the Total Cost of Windows

Gartner: Worms Jack Up the Total Cost of Windows
May 5, 2004 (2:58 p.m. EST)
By Gregg Keizer, TechWeb News

Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday.

Mark Nicolett, research director at Gartner, recommended that enterprises boost spending on patch management and intrusion prevention software to keep ahead of worms, which are appearing ever sooner after vulnerabilities in Windows are disclosed.

This is part of the carrying cost of using Windows, said Nicolett. The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology.

Although he placed some caveats on his numbers, Nicolett said that informal surveys with Gartner clients indicate that simply moving from a no rapid patch deployment capability to an ongoing process that can respond quickly to vulnerabilities raises the cost of using business by about 15 percent.

Nicolett's advice stemmed from the recent outbreak of the Sasser worm, which began striking Windows systems last Friday and has infected a large number of machines world-wide, with estimates ranging from 100,000 to well into the millions.

The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely, said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site.

The need to deploy faster patch management solutions, and other technologies -- including intrusion detection systems -- comes from the incredibly shrinking window between vulnerability and exploit, added Nicolett. The window is getting tighter, and as it does, that forces users to be more aggressive in how they deploy a patch. That, in turn, can lead to other problems, as QA testing of the patch goes out the window.

Compared with MSBlast of last summer, Sasser arrived sooner, said Nicolett. The appearance of Sasser makes the shortest time ever -- just 18 days -- between the appearance of a vulnerability and the beginning of an attack. The previous record by a widespread network worm was held by MSBlast, at 25 days.

Ideally, you begin to QA the patch immediately after the patch is documented. What companies really want to do is let those patches 'age' a bit to discover the secondary impact, and document problems with other applications. But with a rapid appearance of a worm, there's no chance for that.

Because many of the vulnerabilities that continue to be identified in Windows 2000, XP, and Server 2003 are easily exploited, Nicollet said, attackers are sure to develop future worms whose impact is equal to, or even more severe, than that caused by Sasser, MSBlast, or the Slammer worm of early 2003.

Enterprises that are dependent on Windows must invest in means to patch faster, he said.

In addition, personal firewall, anti-virus, and behavior-based intrusion prevention software should be rolled out for all Windows PCs and servers. Patch management is not enough, said Nicolett. Enterprises also need perimeter protection.

Even though the market for host-based intrusion prevention software won't mature until the end of 2005, Nicolett advised enterprises to budget for and purchase such products now to secure critical Windows-based systems.

Intrusion prevention gives enterprises some breathing room, he said. They don't have to panic when the vulnerability clock starts ticking.

And the cost of such protection should be included in all total cost of ownership (TOC) calculations when alternatives to Windows are evaluated, he added.

It seems many enterprises have already taken Gartner's advice to heart. Companies are getting more aggressive in patching servers, for instance, said Nicolett, and scheduling more downtime to deploy those patches.

They learned their lesson with last summer's MSBlast. We saw a drastic increase in calls from clients who wanted to aggressively deploy some form of patch management after MSBlast. In general, it seems a larger percentage were better prepared this time around.

That may explain why Sasser didn't have quite as much traction as MSBlast, Nicolett and others theorized this week.

According to a Microsoft spokesman on Wednesday, more than 200 million users had downloaded the patch for the vulnerability exploited by Sasser, compared with only tens of millions who had downloaded the fix for the MSBlast-exploited vulnerability last summer at the same interval after that worm appeared.

People who create these worms should be jailed in proportion to the amount of money it costs all users - maybe a life sentence in the worst cases. You'd only have to have a couple of these sentences and intrusions would drop off markedly.

Mr. FourPeas works in IT Security. They use an automated system to roll-out patches as well as upgrades to a variety of their software. On a global network with lots and lots of mobile computing including RAS and VPN, they saw no instances of Sasser. It cost them virtually nothing since they originally purchased the management software for other purposes. Actually, the whole Sasser thing was pretty interesting to watch, considering his networks were safe.

If you have educated employees and decent IT people, I seriously doubt that this is a problem.

I don't know what this writer means by fast deployment of patches, but most of the email viruses we've seen have come down the pike at least a month or two after the patch was available on Windows Update. Usually they are available even earlier for people willing to download the file, which is what most IT people would probably do.

At NYU, we have maybe, at a guess, 50,000 computers or more scattered around among faculty, staff, and students. All you need to do is update your AV and your system, and there's no problem.

I understand that some businesses don't want employee computers directly accessing the net. In that case, they need to have good IT staff.

I'd like to rephrase it. Cyber enemies, writing malicious code, and using stolent IP, are attacking Western networks. They are part of the Red Mafiya and may be working on behalf of the SVR. I think the DoD needs to respond.

7 posted on 05/06/2004 2:42:24 PM PDT by GOP_1900AD (Stomping on "PC," destroying the Left, and smoking out faux "conservatives" - Right makes right!)

The Kremlin say they consider a cyber attack against Russia to be a WMD attack, and pledge to use nukes in retaliation if any such attack were to be traced to specific nation state sponsorship. Do we need a similar policy?

8 posted on 05/06/2004 2:43:49 PM PDT by GOP_1900AD (Stomping on "PC," destroying the Left, and smoking out faux "conservatives" - Right makes right!)

Cause it ain't worth some hackers time to infect the 15 or 20 programs that will run on a mac....You can bet your ass that if everyone in the World used Macs, the worms would be everywhere just like on MS windows. It's not the machine, it's the number of users...

It's not the machine, it's the number of users...

No, it's not the number of users.

Note the number of sucessful exploits of Apache vs. the number of sucessful exploits of IIS.

And Apache is installed on nearly 70% of all Internet-reachable web servers. Microsoft's IIS, just over 20%.

It's not the number of users, it's the design. Mac OS since OS X is based on FreeBSD. It's design makes infection by malicious code substantially more difficult, no matter how many attempts are made.

.....substantially more difficult........yeah, but I note that you didn't say that it is impossible. What I said, stands....if everyone ran macs, and there was potential to do great damage, there would rise up a legion of mac hackers....just like mswindows hackers.

What I said, stands....if everyone ran macs, and there was potential to do great damage, there would rise up a legion of mac hackers....just like mswindows hackers.

What you say doesn't stand. If everyone ran Macs, there may well be a legion of Mac attackers, but the effect would be much less due to it's design. Windows suffers from so many successful attacks because of it's design.

It's not a numbers game, it's a design game, and Redmond has never decided that it wants to win the design game.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.