Return to patch central?
- By Florence Olsen
- Jun 07, 2004
General Accounting Office auditors are advising federal
decision-makers to consider offering a software patch-management service for civilian agencies.
Homeland Security Department officials had offered such a service as recently as February, when they chose to drop it.
In a report released June 2, GAO officials said the federal government must deal more aggressively with the growing volume of security patches, which overwhelms the ability of agencies to manage them. More than half of the 24 agencies that GAO surveyed for the report indicated they lacked sufficient personnel and financial resources to manage the patching process effectively.
Robert Dacey, director of information security issues at GAO and principal author of the report, said a governmentwide patch-management effort would be more efficient and less expensive than the current piecemeal approach. But federal officials still face the challenge of working together to manage security patches.
"Because the management, architecture and resources of each agency vary, it is unlikely that a single solution will satisfy every need," Amit Yoran, director of DHS' National Cyber Security Division, testified last week before a House subcommittee chaired by Rep. Adam Putnam (R-Fla.). Earlier this year, DHS officials concluded that commercial alternatives are better than the free patch-management service the government had been offering to a small number of subscribers.
Yoran said a committee of the Chief Information Security Officers Forum is studying the patch-management problem to determine if one or more centralized services available to agencies could meet their needs. Forum members are senior agency officials responsible for cybersecurity.
When DHS officials dropped the federal patch-management service, they cited the low number of participants, the limited nature of the offering and the prohibitive cost of upgrading the service. The government had signed a $10 million contract with General Dynamics Corp. and its Veridian Corp. subsidiary in 2001 to provide such a service when few commercial tools and services were available.
But many companies now offer patch management as part of a package that includes vulnerability scanning, patch installation and asset management, according to officials at DHS and other organizations.
While federal managers search for the best way to deal with patch management, no one underestimates the software problems that agencies want to avoid, said Dacey, who testified last week before Putnam's subcommittee. Computer worms thrive by exploiting security holes in software and often spread faster than government agencies and businesses can patch the holes.
In January 2003, the Slammer computer worm caused network outages and slowed Internet traffic to a crawl. One of its targets was a nuclear power plant's network, Dacey said in his report. Nuclear Regulatory Commission officials said after Slammer infected the network, it prevented computers from communicating with one another and disrupted the operation of two important systems at the nuclear facility.
Most of the problems Dacey describes in the June 2 report are less dramatic than the Slammer incident. But although many federal agencies have good policies, some have not developed patch-management procedures. Agencies do not consistently perform risk assessments of their software vulnerabilities, and most do not test all patches before installing them. GAO officials found that agencies also do not regularly monitor the status of the patches.
As federal officials consider how to deal with patch management, some security experts say the government should not form another centralized service.
A governmentwide procurement through SmartBuy, a federal program for purchasing commonly used software, could achieve better results, said Alan Paller, director of research for the SANS Institute, a nonprofit research and education group specializing in systems and network management and security.
"The goal," he said, "should be a governmentwide procurement of patch-management software, so agencies can get it inexpensively and implement it quickly."