How often should I be doing this?

Recently a client who had just had a server compromised by the SQL slammer worm told us he had “applied the patch this summer.” By some accounts, this should have protected him. But it got us to thinking about lies, damned lies and statistics again. And how often should we tell our clients that thier systems should be updated? And what’s it going to cost?
bar graph of number of updates, RedHat Vs Microsoft
The graph above represents (in a crude fashion) the number of security advisories released by our two primary Operating Systems vendors over the past few years. That could provide a point of departure, and don’t worry this isn’t an OS crusade. We think the manufacturers do a fine job of supplying the patches. Problems occur when they aren’t applied correctly or more frequently when they aren’t applied in time.
Last year RedHat released 293 security or bug advisories. These are not all security related, and certainly a lot of the advisories were for bugs not related to security issues. But that’s around one per work day. The potential cost impact is between almost none to review an advisory for software you don’t use, to the hour or so that a kernel upgrade will typically involve; these occur about three times a year. It works out to about 51 hours a year.
Or, you can look at it from the other side of the coin. Some Windows boxes were disabled by Code Red and NIMDA in 2001 and more recently we noticed large disruptions on the Intenernet because of the SLAMMER worm which affected (and was spread by) unpatched Microsoft SQL Servers. These disruptions to business cost the global economy heavily. The cost can be measured in price of recovering from the intrusions and to get running again, the business lost while operations are disrupted, and sometimes actully loosing customer confidence. On the web, if they don’t have confidence in you, they have a choice.
Some figures place the costs of Code Red at 2.6 billion dollars world wide. While 2.6 billion is a rather abstract number, the more recent SLAMMER worm caused outages in Bank America Corp’s ATM network, a direct effect that most Americans can probably relate to. In addition to banking networks, other networks one would expect to be isolated from Internet attack were affected. In an extream instance showing potential global nature of this issue, China Telecom a nationwide phone company shut down all Internetional calls for the weekend, with only limted service being restored
JSW4.NET offers a service for a nominal monthly fee to keep your business servers up to date if you have a dedicated Internet connection with secure remote access.

Comments are closed, but trackbacks and pingbacks are open.