Best Practice: Updating software patches and virus DAT files

Source URL: http://www.itworld.com/bestpractice_predatorwatch050309
March 09, 2005, 2:02 PM
ITworld.com

Strategy in Practice
Rules for success
Things to avoid
Questions you must ask
Are you a candidate?
Last words

This Best Practices is part of a collection of advice provided by information technology professionals on how they have solved various challenges, and addressed IT priorities within their organizations.

Company:

Cape Cod Cooperative Bank

Cape Cod Cooperative Bank was founded in 1921 as a mutual community bank to serve the people of Cape Cod, Massachusetts. It is an independent community-owned bank whose tradition and future is to provide unique, personal service in order to meet the ever-changing needs of its community.





Challenge:

The bank needed to ensure that software patches and virus DAT files were up-to-date on financial advisors' laptops as they connected to the bank's network. The laptops were not part of the bank's domain and could not be updated through group policy or other corporate patch management systems.



Solution:

The bank installed PredatorWatch's Auditor16 device at the five branches. The advisor's laptops are audited as soon as they receive a dynamic IP and the summarized results are emailed to the network administrator for further review, with the detailed report, or action if necessary.



How it worked:

A financial advisor connected his laptop to the network triggering an audit and subsequent email to the network administrator. The administrator logged into the Auditor16 and discovered a medium level vulnerability on the detailed report. He immediately notified the advisor and the appropriate software update was applied to the laptop.




Rules for success:

  • Reporting - the branches remote location required a solution that could notify the appropriate personnel in a timely and informative fashion.
  • Maintenance - with a limited staff the devices needed to be automatically updated, virtually maintenance free and easy to deploy.
  • Effectiveness - the solution had to work reliably to ensure the integrity of the network.
  • Price - the limited number of laptops and branches required a solution that was cost effective.



Things to avoid:

  • Be sure that, when you first connect to the appliance to get its IP address, you use a standard female-to-female serial cable to connect to it. If you fail to use a standard cable with the correct pin-outs, the Auditor will not respond.
  • When you select a model (Auditor 16, Auditor 128, or Auditor Enterprise), try to use the model that allows you the largest number of IP addresses appropriate for your site. Auditor 16 handles up to 16 IPs, while Auditor 128 handles up to 256. Only Auditor Enterprise handles more than 256. If you have approximately 240 IP addresses, you could quickly top out on Auditor 128 as laptops plug in and take up the remaining IP addresses or as you add new machines to the network. If you are that close to 256, you should probably consider either Auditor Enterprise or multiple Auditor 128s. The larger unit will generally provide better performance for increased numbers of IPs.
  • Auditor can dynamically detect an unlimited number of IPs on plug-in/connection, but it can only audit as many IPs as you have licenses for. Thus Auditor will always detect a system has plugged in, but will not audit it if doing so would mean exceeding the number of licensed IPs. If the issue arises, you can buy additional IP licenses after the product is installed, but the better prepared you are to handle the capacity of your network, the more effectively you'll protect your network.
  • To have Auditor dynamically detect machines on plug-in, your network must have a DHCP environment.
  • Auditor can dynamically detect systems on plug-in/connection anywhere in a multi-level network with subnets, until it runs into a DHCP server in a subnet. If you must have a DHCP server in a subnet, you can use an Auditor 128 or Auditor Enterprise to audit all systems on the entire network, then add an Auditor 16 to each subnet that has its own DHCP, to handle dynamic detection in that subnet.

Questions you must ask:

  • Does your network have a DHCP environment? It's required to use the Dynamic Detection feature of Auditor, but not to do the actual audits.
  • Do you anticipate your network growing in the near future? It's good to evaluate how many IPs you expect to have to determine the model required to handle all equipment on the network.
  • Do you have (or are you willing to purchase) a compatible firewall? To have Auditor block traffic at the firewall to/from any system or port that has vulnerabilities, you must purchase a FirewallBooster compatible with your firewall. Some of the firewalls Auditor is known to have boosters for are NetScreen 5GT, Cisco PIX, CyberGuard KS 1000, CyberGuard/Snapgear 570 & 575, and Secure Computing Sidewinder. To find out if others have been released, you can contact PredatorWatch (978-251-0823). You must use the firewall interface to unblock any blocked IPs or blocked ports.

Are you a candidate?

Candidates for this product include any small- to mid-sized company that is on the Internet and thereby has systems subject to hacking, even if the organization has only a few IP addresses. To save money, the smallest companies can start with an Auditor 16, which audits up to 16 IP addresses for initial purchase price of under $1,000 (plus annual or monthly license fees). Taking advantage of Auditor's scalability, the same business can scale up to Auditor 128 (max 256 IPs) or Auditor Enterprise (greater than 256 IPs) as the organization grows.

Particular industries that may want to consider Auditor include banks, hospitals, insurance companies, financial service companies, e-commerce companies, retailers, and educational institutions. Among the features appropriate to these industries are regulatory compliance reporting and credit card merchant program compliance reporting.

Last words:

The default is to audit all IPs within the range given, but if you are executing an on-demand audit (where you are waiting for the resulting report), it is better to specify a subset of the network that includes only those machines you are most concerned about. The smaller audit will be more efficient than an audit of the entire network. More complete audits should be scheduled to run overnight so you receive the report first thing in the morning.

By having Auditor regularly auditing and reporting on vulnerabilities in your network, and confirming remediation of those vulnerabilities with followup audits, you can collect and save reports that form an audit trail for regulatory compliance or credit card merchant program compliance. For small- to medium-sized businesses, Auditor is a cost effective tool for staying in compliance.

By regularly and automatically updating itself on the latest vulnerability tests, Auditor saves you time and pays for itself.

This Best Practice was provided by:

PredatorWatch, Inc.
N. Chelmsford, MA 01863

http://www.predatorwatch.com

The ideas expressed in this article are solely those of the vendor and its client, and do not necessarily reflect the opinions of ITworld.com.

Source URL: http://www.itworld.com/bestpractice_predatorwatch050309

© 1994-2011 ITworld. All rights reserved.