Donâ€™t be squeamish about software patches: They could be the difference between strength and vulnerability for your businessâ€™s system.
Security administrators don’t have it easy. Between performing system updates, backing up servers, monitoring Intrusion Detection Systems, and completing other tasks, they need to find time for another important, yet critical task: applying software patches.
For the six-month period ending June 30, 2003, Symantec documented 1,432 new vulnerabilities, a 12 percent increase over the number found in the same period the previous year. The rate of discovery for new vulnerabilities continues to escalate as a result of the convergence of several trends: increased media exposure for new vulnerabilities, gathering momentum of the responsible-disclosure, and a dramatic rise in Web vulnerabilities. As of today, potential attackers are aware of 8,000 vulnerabilities affecting over 4,000 different technology products. A majority of the devastating viruses and worms this year were propagated as a result of the exploitation of known security vulnerabilities. This was a preventable situation, but because many servers were left unpatched, the viruses entered through open doors into systems all over the world.
In the scheme of things, patching security vulnerabilities is a low-cost practice that can help prevent potentially high-cost damage to your enterprise’s financial statement, as well as reputation. August 2003 was a major financial blow to corporations. Millions of dollars were spent cleaning up blended threats. Patching vulnerable systems became a part of the cleanup process.
The importance of patching
A report by the CERT Coordination Center at Carnegie Mellon estimates that 99 percent of all reported intrusions "resulted through exploitation of known vulnerabilities or configuration errors, for which countermeasures were available." It is reasonable to assume that many of the countermeasures CERT is referring to are patches released by software vendors.
Patches for known vulnerabilities are available on software manufacturers’ Web sites, but they are often ignored or unnoticed. This is the dilemma — the task of applying patches is often perceived as too time-consuming, too complex, or as a low priority for system administrators. However, if you incorporate review and application of patches into your daily routine it will not only ensure it gets done, but it could ultimately take up less time.
Millions of dollars can be spent cleaning up from blended threats targeting unpatched vulnerabilities. Which begs the question, is it worth looking into a patch management solution to reduce these rising IT costs?
How vulnerabilities happen
Vulnerabilities can occur when a particular combination of your technologies do not work properly when used together. Vulnerabilities can also be the result of an oversight in software production by the manufacturer. Every vulnerability is a potential target for intrusion or other malicious activity. The key is to patch, and to patch early, before intruders use details of the exploit to gain access to your system.
When identifying vulnerabilities, it is important to make sure you don’t overlook systems that are perceived as "less critical." Many intrusions are the result of entry through seemingly less critical, and as a result, less patched devices. Once access is gained, the intruder will use that as a springboard into more critical applications. Remember that anything that is exposed is mission critical.
Without patching, your computers are unprotected from some of the most common exploits. This year alone, the online community has felt the effects of the Blaster and Welchia worms, as well as devastating blended threats such as Slammer and SoBig. These and other threats spread swiftly, due in part to known vulnerabilities that went unpatched.
You’re easier to find than you think
The tools intruders use to troll for vulnerabilities are becoming increasingly sophisticated, and at the same time, easier to attain and use. Equipped with the knowledge and details of a specific security hole, intruders now have the tools and techniques to scan for hundreds of thousands of vulnerable systems on the Internet, searching for those with unprotected vulnerabilities, and you could be a target.
Intruders often choose their targets based on the visibility and attractiveness of the enterprise. If an intruder gains entry into your resources, the damage can be enormous — not just lost revenue, but also the cost of lost productivity, time, market share, customers, or damage to a company’s reputation.
Make patching a policy
If your enterprise is running a wide variety of software programs, it is important to stay up-to-date with the patches for each program, and apply them to each server as needed. It is important that patching is recognized as a crucial part of doing business, and should be included into your overall security policy. Sometimes advisories are released that detail vulnerabilities for which there is no patch available. If that is the case, your only option may be to restrict access to the server containing the vulnerability.
Writing a patch management policy is a good way to clearly outline the process and procedures to be followed and also to ensure that nothing slips through the cracks. Some process details that should be included are:
• Subscribe to advisory and alert lists. These will alert you to any new software updates or patches that are released. Check out the following resources for more information:
• Check manufacturers’ Web sites. Many software providers will offer a notification list to their customers and these providers will have the information posted on their Web site.
• Find independent bug-tracking sources. Sign up for the CERT Coordination Center’s Advisory List, the BugTraq mailing list, or visit Security Focus regularly.
• Document everything. As patches are considered, implemented and tested, document every step of the way, so you have a complete audit trail if anything is called into question in the future.
• Determine the relevance and severity of vulnerability. Review the incoming advisories and alerts within 24 hours of receipt, and determine if any are applicable to your operation, and, if so, decide the severity of the issue immediately.
• Separate reviewer from patch applicator. The person that is reviewing the advisories and making determinations should not be responsible for applying the patch. If the same person shares those duties, you run the risk of biased opinions. The person who has to apply the patch may tend to gloss over the advisories, knowing if there is a severe risk found, it will need to be fixed on his or her time. If your reviewer is removed from the situation, you will be more likely to obtain a fair judgment.
• Test every patch before deploying it. Sometimes the patches themselves can cause additional or unforeseen operational and security issues in your enterprise. Apply the patch first in a test environment to make sure that the patch itself will not introduce a new vulnerability or disrupt your normal business functions in any way.
What else can you do?
Designate someone within your enterprise to stay on the lookout for newly released patches, newsgroups, security information clearinghouses and other groups that regularly post information on security vulnerabilities, so you can act quickly. In addition to staying current with security patches, it is advisable to continue to place filters on email gateways for added protection, and to keep your antivirus programs up-to-date. Depending on the size of your organization and critical business applications, this may require dedicated resources.
Patch compliance software on the market today will scan your enterprise to ensure that designated patches have been adequately installed, further identify the systems still requiring attention. Whether you’re a command line addict or require something more aesthetically pleasing, there are a myriad of tools to choose from – most however, work in the same manner. The basis being a snapshot of individual systems (baseline registry entries and file versions) compared to Microsoft databases. The benefit of course, is a detailed map of your environment. A historical record of changes that enable an administrator to easily distribute (or rollback) updates is needed.
Solutions fit a wide range of business sizes: from the very small to large, complex, global organizations. Take the following into consideration when evaluating a solution to fit your business needs:
• Architecture: Agent-based or scanning-based? Without question, an agent-based system improves the accuracy of information collected by the patch server, the overall patch deployment process is more reliable, and less network traffic is consumed as compared to scanning-based software. Scanning-based solutions, while eliminating the presence of an agent, increase administrative overhead as repeated scans may be required to sample the entire organization.
• Scalability. Can configuration changes be accomplished in minutes, “on the fly?” An easy and cost-effective model will allow organizations to support global users or organizationally grouped classes of devices.
• Policy-based management. Utilize policy-based management to ensure that patches stay applied as policy dictates. This allows for diversification of systems, groups, or classes of devices slated for deployment according to a wide range of business requirements – with minimal administrative overhead.
• Role-based administration. A patch management solution that integrates with Active Directory may allow for role-based product administration, enabling associated permissions with each delegated role.
• Customized reporting. Every company has different policies driving information requirements. Since individual management styles and personalities require various formats and data fields, a customized report is often required to put the information needed into the format desired. Programs with robust functionality can lose their effectiveness without a capable reporting mechanism.
• Automatic alerts. Alerts allow administrators to focus on the exceptions proactively rather than rely on the reactive nature of reports. While not all patches are critical, there are those that require urgency. Alerting may be a requirement for your patching solution.
• Integration. Can the reporting engine integrate with other reporting software? Is integration with SQL or DB2 allowed? Is there support for virus software integration? Reduce the learning curve of your patch management solution by integrating into tested, functional, successful applications in the environment today.
Effective information security involves good processes, as well as good technologies. Don’t be fooled into thinking that constantly upgrading your security technology is the only thing you need to do to stay safe. There will always be new vulnerabilities — no matter how current the server or software is, and keeping your current machines up-to-date with patches is one of the best investments you can make. It’s a relatively easy solution to a highly preventable security problem.
Sarah Merrion is a senior security consultant for Symantec Corporation specializing in antivirus technologies. She holds a M.S. in Telecommunications from DePaul University and speaks regularly on the topic of viruses, worms and malware.