Security system to patch holes

FedCIRC

The Federal Computer Incident Response Center this month plans to release a revamped solicitation for a system that will automatically send security patches to civilian agencies, making it cheaper and easier to protect their systems from viruses and other threats.

FedCIRC began work.ing on the idea for an automated patch- dissemination system late last year and originally had planned to release a request for proposals by the end of August. But comments from agencies and industry revealed that the original RFP was too narrowly focused on operating systems, said Lawrence Hale, liaison director at FedCIRC. "We need to broaden the scope of it somewhat," Hale said.

The rewrite should be finished in time for FedCIRC to release the RFP before the end of the month. It will include patches for many of the standard applications used across government as well as for the commonly used operating systems. "We've learned a lot about what's out there, and the capability of the vendors has improved," he said.

The system is designed to raise the basic level of federal security by making it easier for agencies to fix vulnerabilities in commercial products.

Studies have shown that attackers continue to use the same vulnerabilities to get into systems, as in the case of the Code Red worm, because administrators have not installed readily available software patches. But the same studies show that administrators are often simply overwhelmed by the sheer number of patches available, or they do not even realize that a vulnerability or a patch exists.

Using the patch-dissemination system, agencies could submit and update a profile of their operating systems and applications. That way, system administrators would only get the patches that apply to their network configuration.

"We recognize this as a strong need within government," Hale said. "We think it will really help the posture overall and establish a baseline."

The system will have a "huge impact" on the cost of government security, said Alan Paller, director of research at the SANS Institute. It is the "first step in an im.portant shift in the way security is done in government."

It would centralize the most expensive part of patch distribution, which is the testing and analysis of the patches, Paller said. "That's a very expensive under.taking and takes your best people," he said. Centralization "radically increases the speed at which things are implemented."

But for the system to succeed, it must be more than a "patch warehouse" that simply stores patches in a single place, Paller said. Also, vendors and agencies will have to agree on a standard configuration so that those doing the testing have the same configuration as the people receiving automatic installation of the patches.

The automated patch-dissemination system could be just the motivator for agencies to move toward standard configurations, Paller said. "Security is the first one to get senior management attention," Paller said. "There's no agency that can manage security on 2,000 systems with lots of different configurations. [They] end up with spotty security."

Colleen O'Hara contributed to this article.