Hercules Bulks Up Security

Software vulnerabilities continue to be a drag on business-technology professionals. More than 80% of respondents to the 2004 InformationWeek Global Information Security Survey cite known operating-system and application vulnerabilities as the primary methods hackers have used to launch attacks against their systems.

And according to the U.S. Department of Commerce's National Institute of Standards and Technology, software bugs cost the U.S. economy about $60 billion annually.

More companies are looking for smart ways to fight the problem. Paul Ernst, technology and communications manager at Satellite Asset Management L.P., a $5.4 billion asset-management firm, last year began looking for a manageable way to patch 12 servers and 80 workstations. IT administrators were constantly writing scripts and pushing software updates out to desktops and servers, and there was no reliable way to ensure that systems had been successfully patched.

About four months ago, Satellite selected Hercules, a vulnerability-management application from Citadel Security Software Inc., and Stat Scanner, a vulnerability-scanning application from Harris Corp. After setup, spotting and fixing all the company's security holes took less than 20 hours--a process that Ernst estimates would have taken 300 hours if done manually.

Hercules automatically accepts vulnerability information from common vulnerability scanners such as the Stat Scanner and the open-source Nessus Scanner. Hercules then helps administrators analyze and remediate problems by specific systems, groups of systems, or severity of vulnerabilities.

Hercules also helps ensure that security configurations are proficient by helping businesses uncover user accounts that have no passwords, have no expiration dates, or are still using vendor-supplied passwords; manage the removal of systems running potentially dangerous software; and remove misconfigured systems that could allow a security breach. "The world for us, before Hercules, was a manual, time-consuming, and never-ending battle," Ernst says.

Michael Roberts, CIO at Bank of Alameda, has been using Hercules for about a year to help prioritize, manage, and track the patching process.

Because the tool automates patching, administrators no longer have to drive to the bank's five locations to deploy patches. Hercules can schedule patches to be applied during non-working hours, another boost in productivity, Roberts says. Even when systems are shut off, Hercules automatically will fix any vulnerabilities the next time the systems are rebooted.

"It's one thing to create a list of all of the weaknesses in a computing environment. It's another ballgame when you can quickly go out and fix them. Vulnerability scanners are very useful at identifying your world of hurt," says Pete Lindstrom, director of research at Spire Security, "but Hercules comes out and eases the pain by automating the fix-it process. It just ties everything together."