FRAMINGHAM, Mass. — Hard-pressed IT security managers who find they can't keep up with the stream of patches required to harden their credit union's server operating systems are hardly alone, according to a leading think firm.
Forrester Research says a survey it took recently of security decision-makers at 118 different companies and organizations found that respondents said they patch their servers an average eight days later than the 24-day limit that their operating system security policies typically specify.
"Our respondents also waste a full day each month handling security emergencies rather than solving new business problems," says Jennifer Albornoz Mulligan, author of the new report, "The State of Operating System Security 2007."
Recommended For You
The Forrester survey found that 17% of the respondents didn't know their organizations' policies for time to patching and nearly one-fourth didn't know how long it takes to complete patches.
That means "they can't measure either the effectiveness of their security practices or their risk levels," Mulligan says, adding that, "thanks to inadequate budgets, just 21% of our server security chiefs have access to test environments that fully duplicate their operating environments."
She says more than a fourth, 28%, have no testing environment or one that does not replicate the productions environment, and "both these conditions increase the risk that changes to the production environment will fail and require removal."
Mulligan also found that "surprisingly, 8% of respondents aren't checking their server patch compliance levels at all–a dangerous prospect. Frequently, common viruses and exploits are preventable but take advantage of mistakenly configured or unpatched server operating systems."
"What separates successful server OS security managers who meet their goals from the rest? Monitoring and configuration tools and consistent, well-defined security processes," Mulligan says.
The Forrester survey found a wide range of policy and practice variation, from tightly run ships to hard-pressed operations moving from crisis to crisis.
The respondents spent an average of 32 hours a month handling urgent events, Mulligan says, but that "is severely skewed by those that spend more than one-quarter of their time handling emergencies. Forty-two of the respondents spend less than 10 hours per month on urgent events–while 28 spend more than 20 hours per month reacting to security problems.
"Clearly, some environments are tightly managed with few emergencies, whereas others operate mainly in reactive mode," the Forrester analyst says.
On another topic, only about half of the
respondents say they harden all their servers,
which Forrester calls a well-established best practice that includes shutting down all unnecessary services, deletes default user accounts and changes all original passwords.
Mulligan also attributes that to possible time pressures, since half of the respondents handle that task manually, compared with 38% who use automated tools from the operating system supplier or third parties.
But not all is bleak, the report says.
"Although security managers are missing their patching deadlines, the average user is taking advantage of some of the tools provided to assist him or her," Mulligan says.
That includes tools from vendors such as CA, BMC Software, HP and IBM that automatically ensure servers are patched and in compliance, as well as taking advantage of default security role settings provided with the operating system.
The Forrester study found that OS security chiefs with tools or specified practices generally get close to or reach their server-patch compliance targets, whether they use automated or manual methods.
"The story is similar for server hardening," Mulligan says. "Those who use tools–and even those who harden their servers manually but follow specified processes–only miss their patching deadlines by between one and six days, while organizations using ad hoc hardening procedures are late by an average of 19 days."
Forrester's advice?
"Remember that server OS security is a continuous process rather than a one-time event," Mulligan says.
"Start by using default OS security profiles, hardening the servers further, maintaining patch compliance over time, and keeping server access permissions up to date. Focus first on hardening all of your Internet-facing and critical servers. Then track how long it currently takes you to patch and update your servers from when the patch is released," she says.
"Aim to reduce this time by 20% or for it to be shorter than a month–whichever is less. Some interviewees successfully maintain a 48-hour patch application window–so until you've hit that target, you can always make improvements."
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.