Uptime & Vulnerabilities
I was doing some research online this evening about virtual server hosting and I stumbled across a website that provides up-time information about various websites.
I thought this was quite interesting. Then, I got to thinking: Could someone with malicious intent exploit this information? If you are wondering, “George, how could this information be exploited?,” please read on.
This site provides the site name, Average number of up-time days, operating system and server type. Have you caught on yet? If not, allow me to explain. Typically, most patches to some operating systems require a reboot. If the server has been up for X days and I know what OS the machine is running, I now know what patches haven’t been applied to the system. Let me clarify: I know what patches requiring a reboot that have been issued by the vendor since the last reboot have not been applied. I meet even venture to guess that the server software (Apache, IIS, etc.) have not been patched.
This information allows an attacker to know what vulnerabilities exist thereby limiting the amount of attacks they must try. So, what does this mean? Patch your servers on a regular basis or face exposure to vulnerabilities and attacks that could otherwise have been prevented. Your systems may be behind a firewall and/or Intrusion Detection System (IDS), however, some attacks may be able to circumvent these security measures. Besides, why have a single point of failure?
Apparently, I am not the only one who has had this thought:
“Corporate IT’s biggest downfall is their focus on uptime above all else. In the IT sector, uptime is god. Customers want guaranteed uptime, managers focus on uptime, everyone views uptime as the key to a well managed system. There is a huge problem with this focus, a system usually must come down to be patched when a vulnerability is discovered. The focus on uptime does not allow that.”(1)
So, what are we to do if we must maintain up-time? There are several approaches to this. If we are looking at a retail environment, then we may want to consider performing maintenance during low traffic times. If you are utilizing load balancing methods, it may be possible to update a few servers at a time while the others take the load. (Your Mileage May Very [YMMV]: I am by no means a load balancing expert.)
If you are a hosting provider, it may be a good idea to put maintenance windows in your Service Level Agreement (SLA) and emphasize security. You should consult with legal counsel to help you here.
Small businesses and other companies may decide to apply patches as needed or on a set schedule and simply reboot when it is most convenient.
I believe patches to be very important. However, maintaining an environment that is productive and profitable just makes good business sense. We must balance security with business needs. Without a secure system, we may lose money due to data exposures and lawsuits. Besides, it also makes good business sense to have a secure system for your employees and customers.
I think former FBI Director, William Webster, put it best: “Security is always too much until the day it is not enough.”
(1) Packetderm, LLC (Steve) (2002, July 23, 2002). Uptime vs Security. Retrieved November 26, 2007, from http://www.cotse.com/20020723.html