Unpatched systems are becoming the most common entry point for security failures, and Windows NT and 2000 are rapidly becoming hackers' favourite targets.

'Patch your system' is the mantra of every security consultant worth his or her salt. Unpatched systems are the perfect target for attacks, as April Fool's Day proved again. Attrition.org posted a list of 38 major defacements for the day, ranging from BT and Walt Disney to the scourge of hackers everywhere, the New York School of Interior Design.

All but eight of the sites were running Windows NT or 2000, the cracker's favourite operating system. NT needs to be patched up as often as an accident-prone rollerblader, according to the long list of security alerts in the past few months.

Microsoft itself was a victim of crackers last October when it discovered that unknown intruders had been wandering unchallenged through the network for months.

The Redmond giant had obviously not been reading its own bug list. The attackers would not have been able to break in if Microsoft software patches had been up to date.

Patch work

One security list advised subscribers to download 19 separate security patches in March. It is highly unlikely that any of their readers would have had the time to download all 19 recommended fixes in five short working days.

Keeping a system in top-notch order is usually the responsibility of a hard-pressed network manager who must know the system like the back of his hand, be aware of its weaknesses and be dedicated to working long hours to keep the network running smoothly. A halo and superpowers are optional.

Small companies who rely on a skeleton IT staff or who outsource their network management could find it much harder to get the system patched regularly, depending on the type of contract they have struck and how often the outsourcer will update software with the latest patches. Potentially, it leaves companies more vulnerable to attack.

Stuart Criddle, IT consultant at the National Computing Centre, said it's not uncommon to come across a system that has not been updated since it rolled off the assembly line.

Managers are faced with the great patch dilemma: stay up all night to take the system offline at 3am and install a patch that just might bugger up the system, or take a risk that the server won't be attacked and get home in time for EastEnders.

Support analyst Andy Helsby, of the K3 Business Technology Group, said patching can be a nightmare. "You have to find a good time to take the servers offline, checking with all the users on the system, and choose a quiet time such as 3am on Sunday morning," he said.

"You need to apply an average of three patches in a week, but there is no mechanism in Microsoft to apply patches in one big file. You have to apply them one after the other, which takes up a lot of time," he explained.

Adding a printer to the system is a hellish process for Helsby. The company's application does not run on Windows 2000, so he has to apply the service pack and individually install the hot fixes every time a shiny new inkjet arrives in the office.

An unpatched system is a liability, but the blame should not lie with the system administrator for failing to apply every single patch issued by Faultysoftware.com.

Managers' dilemma

Network managers don't always have the time to search for relevant patches, take critical systems offline and baby-sit the server all night long in the hope that the patch doesn't disrupt something else on the system.

Software companies that release buggy software must take responsibility for attacks. If they insist on issuing patch after patch, the least they can do is make them easier to install.

Patching a live system is much more cost effective than shutting down the system and rebooting it 10 times a night. But there is still no end in sight for the security treadmill.

PATCHING SYSTEMS:

• Get a security newsletter and check manufacturers' websites and users' newsgroups for relevant patches.
• Apply urgent patches as soon as you can. Make sure users know the importance of updating the system regularly.
• A safe system needs software no older than two years.
• Keep a log of the patches on the system for future temp staff and administrators.