Developer

Automating security updates: Keeping ahead of the hackers

Infrastructure security vulnerabilities keep many an IT leader awake and pacing at the midnight hour. Find out how a new security device is helping one IS leader get a better night's sleep.


By Howard Baldwin

Clint Kaiser keeps watch over the finances of some very wealthy people. As director of information security for First Tech Credit Union (FTCU), a Beaverton, OR, financial institution, it’s his responsibility to ensure the integrity of accounts for 85,000 employees of some 800 companies in the Pacific Northwest.

Kaiser’s focus is making sure that authorized customers can always access information about bank accounts, loans, investments, mortgages, and, just as importantly, that unauthorized others can’t.

One of his biggest worries in getting his job done is staying current with security patches relating to Domain Name System (DNS). DNS takes a URL and translates it into the numerical IP address relating to a specific server on the Web. Because it would be impractical to centrally store this information, DNS servers are scattered throughout the Internet.

The problem with this scenario is that smart hackers, taking advantage of security vulnerabilities within the “bind” capability of the DNS servers, can tamper with user site requests results. It’s akin to cranky rubes sending lost tourists miles out of their way. Conceivably, hackers can redirect user queries to a ghost site and collect financial data. But luckily, most times the users just get an error message saying that the server isn’t available.

“My goal is to protect First Tech against redirection and denial of service [DoS] attacks. I’d rather people don’t get to us than get to the wrong site,” said Kaiser.

Tracking needed security patches
While some are small, family-owned businesses, FTCU’s client list includes such household names as Amazon, Microsoft, and Nike, as well as the Oregon and Washington divisions of companies like Intel and Sun Microsystems. To keep up with the flurry of security patches relating to the bind vulnerabilities, Kaiser has invested in a server appliance, as well as a maintenance plan, from InfoBlox called DNS One. InfoBlox continually monitors security updates and notifies customers, like Kaiser, of ones appropriate for their systems. In Kaiser’s case, that means patches geared for Windows NT 4.0.

“Previously, we had to monitor the vulnerabilities of the OS ourselves. There were a lot of vulnerabilities,” he explained, adding that once his team determined a vulnerability, a staffer then had to download the patch and update the systems, usually after normal working hours.

“It doesn’t take someone very long to stop and think there’s got to be a better way. Everybody wants to go home in the evening rather than staying late and applying patches.”

If Kaiser discovered a vulnerability in the morning that couldn’t be patched until that evening, the company could potentially be vulnerable for 10 hours. “There are a lot of things that could happen in that time,” he said.

How security notification works, and the costs
Currently, InfoBlox alerts Kaiser via e-mail that an update is available.

“I can go to the interface from my desk and tell the appliance to download the update and update the system right then, or I could wait until after hours to do it,” he explained, noting that the system offloads the responsibility of watching and fixing vulnerabilities.

“The software is updateable and configurable. I don’t need to worry about managing the operating system of the [appliance] hardware. All I have to do is match it to the [operating system] I want to run.”

In doing his ROI analysis of the tool, Kaiser reviewed the hard savings derived from DNS One’s automated capabilities as well as potential ramifications of DoS attacks.

He looked at the amount of time staff spent on the previous DNS solution, and extrapolated that for one year. He also looked at the risk of having a server that was vulnerable—although he said it’s tough to establish even a rough figure on such a scenario.

“I looked at the possibility of DoS, and measured it as a factor of downtime, which is anywhere from $500 to $1,000 per hour,” he said, acknowledging he couldn’t determine a set figure for the impact of any negative publicity that would result from system downtime or a hack into clients’ financial data.

InfoBlox's cost is $7,000 per unit, with an annual maintenance fee after the first year of $840 per unit.

Kaiser purchased InfoBlox’s high-availability option, in which two servers act as one unit. Previously, if an FTCU customer couldn’t reach the primary server, they would be redirected to a backup server at the firm’s ISP. However, that meant that it was relying on its ISP’s security capabilities. The high-availability system keeps all the data within FTCU, and yet doesn’t limit future options, Kaiser pointed out. A second unit could be colocated at an ISP or held at a disaster-recovery site.

Kaiser likes the idea of server appliances—single-purpose boxes that sit on the network and focus on a specific task. He went looking for an appliance because he’d been so pleased with a load-balancing appliance FTCU had previously purchased from F5.

F5 also has a DNS security appliance, called 3DNS, and while it offered more features, it wasn’t a good fit for FTCU. “Because it had all these other features, it was more expensive than the InfoBlox unit,” Kaiser said.

Getting a good night’s sleep
When it comes to managing all of FTCU’s security devices—firewalls, content-verification servers, intrusion detection, spam and virus control—it’s easy to believe that the slew of potential threats would keep any IS leader awake at night. The DNS appliance, said Kaiser, has given him one less thing to worry about.

“It allows me to sleep at night, pure and simple. I feel confident that my DNS information is not going to be tampered with,” he said, noting that the goal is a worthy one for any company, not just a financial institution like FTCU.

“The need for security goes beyond financial institutions to anyone engaged in e-commerce. It’s not so much the loss of money that would be a problem, or even a momentary spurt of bad news, it’s the residual effect a breach could have on a company,” he said. “What’s most damaging would be the lost trust.”

Silicon Valley-based freelance journalist Howard Baldwin’s work has appeared in CIO, CIO Insights, and Corporate Computing.

Editor's Picks

Free Newsletters, In your Inbox