Automatic Alerts, Patches Make Security Less Onerous

Whenever a software vendor discloses a security vulnerability in its product, it sets off a race between the hackers who want to take advantage of the weakness to attack systems and the administrators whose job it is to secure those systems. The only way for the white hats to win is to quickly identify and patch their vulnerable systems, which could number in the hundreds or thousands.

Configuresoft Inc. says it will make patching easier by automating patch updates for companies running Windows NT and Windows 2000 networks. It's adding the Security Update Manager, which notifies administrators whenever Microsoft issues a new security bulletin, to its Enterprise Configuration Manager software. The module, which links to Microsoft's XML Security Database, compares its data on a company's servers and desktops with vulnerabilities noted in the Microsoft database, so it can immediately identify which of a company's systems may be prey to a certain threat.

The module can help administrators because it's easy to forget to reinstall a patch or check for new patches after updating a server, says Gartner security analyst John Pescatore. Still, maintaining security ultimately comes down to human tenacity. "A year after companies buy software to automate security, it's often sitting on a shelf," he says.

Maybe that's why a recent survey from Internet consulting firm Netcraft shows that one in 10 E-commerce sites running Microsoft Internet Information Server had backdoors that would let attackers monitor or execute commands on their Web servers.

The Security Update Manager is available for $5 per workstation or $25 per server.