CREATING A PATCH AND VULNERABILITY MANAGEMENT PROGRAM
The level of damage caused by an attack can be quite severe. A number of Internet worms (self-
propagating code that exploits vulnerabilities over the Internet) such as Code Red, Nimda, Blaster, and
MyDoom have been released in recent years. There are some common data points for these worm
outbreaks. First, as the authors of worm code have gotten more sophisticated, the worms have been able
to spread faster than their predecessors. Second, they each hit hundreds of thousands of computers
worldwide. Most importantly, each one of them attacked a known vulnerability for which a patch or
other mitigation steps had already been released.
3
Each major outbreak was preventable.
Benjamin Franklin once said that “an ounce of prevention equals a pound of cure.” Patch and
vulnerability management is the “ounce of prevention” compared to the “pound of cure” that is incident
response. The decision on how and when to mitigate via patching or other remediation methods should
come from a comparison of time, resources, and money to be spent. For example, assume that a new
computer worm is released that can spread rapidly and damage any workstation in the organization unless
it is stopped. The potential cost to not mitigate is described by the following equation:
Cost not to mitigate = W * T * R, where (W) is the number of workstations, (T) is the time spent
fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.
4
For an organization where there are 1000 computers to be fixed, each taking an average of 8 hours of
downtime (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a
computer to do work) at a rate of $70/hour for wages and benefits:
1000 computers * 8 hours * $70/hour = $560,000 to respond after an attack.
Compare this to the cost of manual monitoring and prevention. Assume the vulnerability exploited by the
worm and the corresponding patch are announced in advance of the worm being created. This has been
accurate for exploits historically, as true zero day attacks are not frequent. Manually monitoring for new
patches for a single workstation type takes as little as 10 minutes each day, or 60.8 hours/year. Applying
a workstation patch generally takes no more than 10 minutes. This makes the cost equation:
60.8 hours monitoring * $70/hour = $4,256 monitoring cost per year
0.16 hours patching * 1,000 computers @ $70/hour = $11,200 to manually apply each patch
Total cost to maintain the systems = $4,256 + $11,200/patch.
For any single vulnerability for which a widespread worm will be created, manual monitoring and
patching is much more cost-effective than responding to a worm infection. However, given that patches
are constantly released, manual patching becomes prohibitively expensive unless the operating
environment consists of only a few software packages (thus decreasing the total number of patches
needed) or the organization relies on end users to patch their systems (thus distributing the patching
workload, but also introducing a need for patch installation oversight). Since few organizations use a
small number of software packages or can rely on end users to effectively patch systems, widespread
manual patching is not a cost-effective organizational approach.
5
3
Since the late 1990’s, the length of time between the announcement of a new major vulnerability and the release of a new
exploit has dropped from months to weeks or days.
4
In addition to the costs identified through this formula, a security incident could also cause damage to an organization’s
reputation. This is most significant for organizations that are entrusted with sensitive information or operations. When
determining the potential cost to not mitigate, an organization should consider the possible mpact to its reputation.
5
Manual patching is still useful and necessary for many legacy and specialized systems.
1-2