Herculean Help For Patching

Security administrators faced nearly seven software vulnerabilities each day last year, and if trends continue, that figure will rise to nearly 15 a day this year, according to CERT Coordination Center. Of course, not all of the projected 5,400 security flaws will apply to every software application or operating system, but keeping security holes patched is clearly a growing challenge.

To help automate some of the tasks, Citadel Security Software Inc. will by the end of the month ship Hercules. The tool incorporates information gathered by software vulnerability scanners with its database of known patches, then presents that information to network administrators to help them set priorities and deploy the patches.

Emanuel Carter, a consultant for the U.S. Department of Veterans Affairs in Southern California, has been testing Hercules since January. He ran a vulnerability assessment using Internet Security Systems Inc.'s Internet Scanner and discovered that the department's 60 Windows NT servers and 1,500 desktops running Windows 2000 were "a little behind" on their required security patches. He needed to patch operating-system vulnerabilities as well as problems he uncovered in Microsoft's Internet Explorer and Media Player.

That's where Hercules proved helpful, he says. Once the Hercules application receives the vulnerability data, it connects to a Citadel server, gathers and downloads all of the available patches, and pushes them to the necessary systems. Hercules helped Carter set priorities for deploying patches based on their levels of severity and let him schedule less-important patches during off-peak hours. Carter set up the software to periodically poll all of the servers and workstations to make sure they were properly patched.

Prior to Hercules, Carter says he attempted to conduct patch updates using common network-management tools. "That was cumbersome," he says. "This has saved a ton of time needed to secure these systems."

Hercules keeps its vulnerabilities database updated by monitoring Internet security sources such as the security mailing list Bugtraq and through a partnership with the threat-management firm SecurityFocus.

Hercules imports scans from CyberCop, Internet Scanner, Microsoft's free scanning tool Hfnetchk, and Network Associates. Priced at $1,300 per server and $50 per workstation, it runs on Windows NT, 2000, and XP. Citadel is developing Linux and Unix versions.