Patching policies must be part of everyday practice
Security administrators don't have it easy. As well as having to perform system updates, back up servers, monitor intrusion detection systems and complete other tasks, they now need to find time for another critical task: applying software patches.
According to last month's Internet Security Threat Report from Symantec – an analysis of network-based attacks, known vulnerabilities and malicious code for the six months between July and December 2003 – 2,636 new vulnerabilities were documented in 2003, an average of seven per day.
As of today, potential attackers are aware of 9,000 vulnerabilities affecting more than 20,000 technologies from around 200 vendors. Seventy percent of the vulnerabilities found last year were easily exploited due to the fact that no exploit was required or an exploit was readily available. This is usually a preventable situation, but because many servers were left unpatched, the viruses entered through open doors into systems all over the world. Perhaps more worrisome is the fact that the period of time between the announcement of a vulnerability and the release of an associated exploit is shrinking.
The importance of patching
In the scheme of things, patching security vulnerabilities is a low-cost practice that can help prevent potentially high-cost damage to your enterprise's financial statement, as well as reputation. August 2003 was a major financial blow to corporations. Millions of dollars were spent cleaning up blended threats. Patching vulnerable systems became a part of the clean-up process.
A report by the CERT Coordination Center at Carnegie Mellon estimates that 99 percent of all reported intrusions "resulted through exploitation of known vulnerabilities or configuration errors for which countermeasures were available." It is reasonable to assume that many of the countermeasures CERT is referring to are patches released by software vendors.
Patches for known vulnerabilities are available on software manufacturers' websites, but they are often ignored or go unnoticed. This is the problem: the task of applying patches is often perceived as too time-consuming, too complex, or as a low priority for system administrators. However, if you incorporate review and patch application into your daily routine it will not only ensure it gets done, but could end up taking less time.
Millions of dollars can be spent cleaning up from blended threats targeting unpatched vulnerabilities. This begs the question, is it worth looking into a patch management solution to reduce these rising IT costs?
How vulnerabilities happen
Vulnerabilities can occur when a particular combination of your technologies do not work properly when used together. Vulnerabilities can also be the result of an oversight in software production by the manufacturer. Every vulnerability is a potential target for intrusion or other malicious activity. The key is to patch, and to patch early, before intruders use details of the exploit to gain access to your system.
When identifying vulnerabilities, make sure you do not overlook systems that are perceived as "less critical." Many intrusions are the result of entry through seemingly less critical and, as a result, less patched devices. Once access is gained, the intruder will use that as a springboard into more critical applications. Remember that anything that is exposed is mission critical.
Without patching, your computers are unprotected from some of the most common exploits. This past year alone, the online community has felt the harmful effects of the Blaster and Welchia worms, as well as devastating blended threats such as Slammer and SoBig. These and other threats spread swiftly, due in part to known vulnerabilities that went unpatched.
You are easier to find than you think
The tools intruders use to troll for vulnerabilities are becoming more and more sophisticated and, at the same time, easier to attain and use. Equipped with the knowledge and details of a specific security hole, intruders now have the tools and techniques to scan for hundreds of thousands of vulnerable systems on the internet, searching for those with unprotected vulnerabilities. You could be a target.
Intruders often choose their targets based on the visibility and attractiveness of the enterprise. If an intruder gains entry into your resources, the damage can be enormous – not just lost revenue, but also the cost of lost productivity, time, market share, customers, or damage to a company's reputation.
Make patching a policy
If your enterprise is running a wide variety of software programs, it is important to stay up to date with the patches for each program, and apply them to each server as needed. It is important that patching is recognized as a crucial part of doing business and should be included into your overall security policy. Sometimes, advisories are released that detail vulnerabilities for which there is no patch available. If that is the case, your only option might be to restrict access to the server that contains the vulnerability.
Writing a patch management policy is a good way to clearly outline the process and procedures to be followed and also to ensure that nothing slips through the cracks.
What else can you do?
Designate someone within your enterprise to stay on the lookout for newly released patches, newsgroups, security information clearinghouses and other groups that regularly post information on security vulnerabilities so you can act quickly. In addition to staying current with security patches, it is advisable to continue to place filters on email gateways for added protection and to keep your anti-virus programs up-to-date.
Depending on the size of your organization and critical business applications, this might require dedicated resources.
Patch compliance software on the market today will scan your enterprise to ensure that designated patches have been adequately installed and further identify the systems still requiring attention. Whether you are a command line addict or require something more aesthetically pleasing, there are plenty of tools to choose from – although most work in the same manner: the basis being a snapshot of individual systems (baseline registry entries and file versions) compared to Microsoft databases. The benefit, of course, is a detailed map of your environment – a historical record of changes that enable an administrator to easily distribute (or rollback) updates as needed.
Solutions fit a wide range of business sizes: from the very small to large, complex, global organizations (the panel below provides some guidance for choosing a solution).
Effective information security involves good processes, as well as good technologies. Do not be fooled into thinking that constantly upgrading your security technology is the only thing you need to do to stay safe. There will always be new vulnerabilities – no matter how current the server or software is.
Keeping your current machines up to date with patches is one of the best investments you can make. It is a relatively easy solution to a highly preventable security problem.
Sarah Merrion CISSP is a senior secutrity consultant for Symantec Corp. specializing in anti-virus technologies