Gartner: Worms Jack Up the Total Cost of Windows

Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday.

Mark Nicolett, research director at Gartner, recommended that enterprises boost spending on patch management and intrusion prevention software to keep ahead of worms, which are appearing ever sooner after vulnerabilities in Windows are disclosed.

"This is part of the carrying cost of using Windows," said Nicolett. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology."

Although he placed some caveats on his numbers, Nicolett said that informal surveys with Gartner clients indicate that simply moving from a no rapid patch deployment capability to an ongoing process that can respond quickly to vulnerabilities raises the cost of using business by about 15 percent.

Nicolett's advice stemmed from the recent outbreak of the Sasser worm, which began striking Windows systems last Friday and has infected a large number of machines world-wide, with estimates ranging from 100,000 to well into the millions."The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site.

The need to deploy faster patch management solutions, and other technologies -- including intrusion detection systems -- comes from the incredibly shrinking window between vulnerability and exploit, added Nicolett. "The window is getting tighter, and as it does, that forces users to be more aggressive in how they deploy a patch." That, in turn, can lead to other problems, as QA testing of the patch goes out the window.

Compared with MSBlast of last summer, Sasser arrived sooner, said Nicolett. "The appearance of Sasser makes the shortest time ever -- just 18 days -- between the appearance of a vulnerability and the beginning of an attack." The previous record by a widespread network worm was held by MSBlast, at 25 days.

"Ideally, you begin to QA the patch immediately after the patch is documented. What companies really want to do is let those patches 'age' a bit to discover the secondary impact, and document problems with other applications. But with a rapid appearance of a worm, there's no chance for that."

Because many of the vulnerabilities that continue to be identified in Windows 2000, XP, and Server 2003 are easily exploited, Nicollet said, attackers are sure to develop future worms whose impact is equal to, or even more severe, than that caused by Sasser, MSBlast, or the Slammer worm of early 2003."Enterprises that are dependent on Windows must invest in means to patch faster," he said.

In addition, personal firewall, anti-virus, and behavior-based intrusion prevention software should be rolled out for all Windows PCs and servers. "Patch management is not enough," said Nicolett. "Enterprises also need perimeter protection."

Even though the market for host-based intrusion prevention software won't mature until the end of 2005, Nicolett advised enterprises to budget for and purchase such products now to secure critical Windows-based systems.

"Intrusion prevention gives enterprises some breathing room," he said. "They don't have to panic when the vulnerability clock starts ticking."

And the cost of such protection should be included in all total cost of ownership (TOC) calculations when alternatives to Windows are evaluated, he added.It seems many enterprises have already taken Gartner's advice to heart. "Companies are getting more aggressive in patching servers, for instance," said Nicolett, "and scheduling more downtime to deploy those patches."

They learned their lesson with last summer's MSBlast. "We saw a drastic increase in calls from clients who wanted to aggressively deploy some form of patch management after MSBlast. In general, it seems a larger percentage were better prepared this time around."

That may explain why Sasser didn't have quite as much traction as MSBlast, Nicolett and others theorized this week.

According to a Microsoft spokesman on Wednesday, more than 200 million users had downloaded the patch for the vulnerability exploited by Sasser, compared with only "tens of millions" who had downloaded the fix for the MSBlast-exploited vulnerability last summer at the same interval after that worm appeared.