Home >  Articles > Closing the vulnerability window

•  
•  
•  
•  

Blaster, Slammer, Welchia, Sober, CodeRed - the list of viruses, worms and trojans aimed at damaging or stealing information from corporate computers is growing daily. Neal Gemassmer, vice president of security technologies at PatchLink, details critical new strategies for patch and vulnerability management.

As the number and ingenuity of cyber attacks rise, so does the risk to organisations that depend on their IT systems. A successful attack on application servers, databases or employee desktops can prove to be far more damage than most physical thefts of corporate property. In a recent survey by IBM of business executives, 57% said they are losing more money through online crime than through conventional theft.

Even so-called low-risk viruses can wreak havoc: witness the Zotob worm of August 2005 which cost infected organisations an average US$97,000.

In 2006, new threats facing businesses are coming from the inside of its perimeter defences - employees of a company wishing to harm their employer's reputation, trade secrets or personnel. Protection that used to be reserved strictly for the internet facing side of a business must now be considered for use within a corporation. Of all the potential ways to break into systems, the failure to apply security patches and configure security settings correctly is probably the most systemic issue facing many IT organisations today. While mission-critical servers in the data centre are kept up to date, few organisations have truly secured the workstation and laptop configurations running throughout the enterprise. To do so requires automation, training and user education about the risks of malware to company operations.

Timely patching of security issues is generally recognised as critical to maintaining the operational availability, confidentiality and integrity of IT systems. However, with organisations averaging 30 days to patch networks last year, the process of securing all systems across the enterprise is still too slow and labour intensive. As a result, McAfee's recent industry report cited unpatched computers as representing IT's most pervasive security issue, keeping threats that target software vulnerabilities at the top of McAfee's list.

With this in mind, the majority of IT security experts today are advising organisations that the first and foremost defence against such an attack is to plug security holes before they can be exploited by an attacker. Security patch management has become essential to protecting IT systems worldwide.

Rapid patch remediation is especially important given that the window of time between when a vulnerability is discovered and when it is exploited continues to shrink - a mere five days in the case of the Zotob worm attack of 2005.

Unfortunately, many organisations both large and small continue to miss this narrow safety zone by a mile. Most are still relying on traditional approaches to IT security, trusting that a firewall in conjunction with manual security patching every month or two will keep things safe. Industry statistics show that the average business takes 30 days to implement a critical patch - which leave the system wide open to attack for 25+ days in the worst case scenario.

Applying patches obviously carries a degree of risk of its own. A patch that has not been effectively tested in a particular network environment could create a disruption within business systems and services. According to the Yankee Group, it can cost as much as US$300 per patch per machine. One of the biggest mistakes that larger organisations and agencies make with patch management is to force the deployment of security patches without properly understanding which devices are vulnerable or without testing the patches in their specific environment.

The UK Department of Pensions and Works last year showed this first hand when the entire agency, numbering more than 70,000 systems, was brought to a halt for several days, demonstrating exactly what can happen if patches and software updates are blindly pushed out to all systems on a network without fully testing them prior to mass distribution.

Clearly, just waiting until a vulnerability exploit is headline news is not a good security strategy, especially given the recent spate of zero-day vulnerabilities where potential attacks on computer systems are surfacing days and weeks before a permanent fix is available.

Patch management best practices

In the US, the National Institute of Standards and Technology (NIST) and security industry vendors have created guidelines for evaluating IT systems for their vulnerability to attack as well as how to build a patch management program to suit a typical corporation's needs.

Number one on this list of best practices is creating an inventory of an organisation's most critical IT systems, such as email, financial databases, customer information, etc. An inventory can be compiled manually, but that takes time and a large team of auditors. There are many automated IT asset discovery tools on the market to help speed the process and automatically update the inventory on a regular basis.

The next step is to prioritise the systems based on how critical they are to the day-to-day operation of the business and thus assess the risk associated with each system. A vulnerability may be a software flaw, policy misconfiguration or unnecessary open port or services running on a system. Automated tools are crucial to network security, particularly if an organisation has hundreds, or thousands, of IT systems at risk.

Network vulnerability scanners, for example, can produce a list of security holes for each system scanned - eg, open ports, services that shouldn't be running, misconfigurations and application-specific problems. Likewise, enterprise patch management tools that automate the process of detecting and installing patches, policy configurations and so forth can drastically reduce the time and cost involved in rooting out vulnerabilities and fixing them before they can be exploited.

Patch deployment in the critical first 24-72 hours

The first 24 to 72 hours after a security patch has been released are the most critical ones. Establishing a patch management process to better identify, prioritise and mitigate vulnerabilities is essential for comprehensive and ongoing protection - to help ensure that security holes are plugged well within that window of vulnerability, as well as to ensure that they never reappear over time.

Here is what needs to be done within those critical hours.

1. Test the patch before deployment. Once a vulnerability is documented and a vendor has released a patch, deploy it to a test environment that exactly mirrors the configuration of the production systems. Likewise, desktops and servers should have standardised configurations. Even small configuration differences can create variability in the results of a patch deployment. If configuration management is not possible, the next best thing is to use a representative sample of the systems within the network as the 'control group' for a deployment.
2. Check the validity of recent backups and make sure there's a rollback option if something unanticipated happens. Murphy's Law always applies.
3. Alert the user community. Users need to be aware of security risk as well as the impending patch process. Negotiate down time windows with the various stakeholders concerned - this is of particular concern for server side patch updates in the data centre.
4. Do the deployment in phases, so that the process is easier to control and less disruptive to the enterprise. The patch management software can also take advantage of computer reboots, idles and scheduled deployments to avoid business interruption. However, it is important to note that if a patch requires a reboot, that security update may not be effective until such time as the system is restarted - do not skip this step!
5. After the initial patch deployment, run a report on the performance metrics. The report should identify any computers that failed to install the update for one reason or another - offline, security access denied or low disk space, to name a few. A post-deployment report will also illuminate any problems that need to be addressed in future patch deployments.

While establishing a vulnerability and patch management process isn't an overnight project, it's crucial to organisations in order to survive the onslaught of malware and online theft in the coming months and years. The cost of having critical IT systems down for days or repairing the damage caused by the theft of sensitive data is usually many times the cost saved by ignoring the problem.

Finally, any good ongoing security system should employ checks and balances. That is to say that as attackers become more and more stealthy, using rootkit techniques and blended attacks to gain access to business systems, it will be necessary to carefully inspect information on a system and validate that information against results of an external network scanner or penetration testing utility. If all systems being used to measure the security of a system agree that the system is fully secure - all is well. On the other hand, if there is any type of discrepancy, that could raise the red flag for possible malware activity within the corporate network.

As new insider threats continue to evolve and zero-day exploits increase, organisations that establish a standard patch and vulnerability management process combined with a best practices approach to installing and deploying patches across the enterprise will be able to proactively secure the network. An organisation that follows common industry best practices for identifying IT vulnerabilities and patching them quickly has the best chance of thwarting criminals and protecting its business critical systems.

• Share this Article:
• digg this
• add to del.icio.us
• StumbleUpon
• RSS Feeds