Hackers, crackers, phreaks, script kiddies, malware developers. These are the threats that all of us internet users have to deal with on a regular basis. Consider the volume of vulnerabilities, exploits and exploit kits that hit the news daily. I was recently asked what my number one recommendation would be to increase the level of security in organizations (aside from removing the human element). Here it is:
Have an active and thorough patch management process.
I could explain this in a couple pages of text or sum it up in this cartoon from XKCD:
I work in IT security research and, unfortunately, from what I have seen, this hasn't really changed in over 15 years. I review vulnerability scans for NTT Security, an Approved Scanning Vendor (ASV) for PCI and reveal pages of critical system vulnerabilities and attack vectors that could have been resolved by applying vendor patches that are readily available. Unfortunately, these have often gone without remediation on multiple reports from a series of scans.
Despite what Fear, Uncertainty and Doubt (FUD) filled articles will tell you, zero-day exploits are not your biggest concern. These new exploits are largely used in targeted attacks, in an attempt to increase their effectiveness before patches and detection signatures are developed.
On the other hand, an exploit kit is a collection of exploits put together into a package by a developer. Exploit kits are sold off to as many "bad people" as they can find. The kits are used in phishing schemes and their output is laced into iframes on websites and other distribution methods.
Surely these kits contain and spread the latest and greatest exploits across the Internet, right? Guess again!
NTT Security analyzed the exploits contained in 61 popular exploit kits. How many of the vulnerabilities already had patches available, which, if applied, would render them completely useless and ineffective? 99.78%!
Some of the kits included exploits which were originally reported in 2004.
Read that again. 2004.
Developers want to keep these packages as small as possible to decrease the likelihood of detection and increase the ease of transmission. So why would they consider including these dated and patched vulnerabilities? The simple answer is that they know the exploits still work.
When it comes to making patch management an integral part of your information security program, SANS has a publication listing seven phases, NIST published eleven phases, and a number of other organizations have still different ways. I need to give you a take-away or I won't feel as though I have done my job with this brief rant.
My Six Steps to Basic Enterprise Patch Management:
- Detect: Analyze systems for missing patches or new vulnerabilities.
- Assess: Determine if there are any mitigating factors against the patch.
- Acquire: Obtain the patch files for testing.
- Test: Install the patch on a test system to ensure there are no conflicts.
- Deploy: Install the patch on all applicable systems.
- Repeat: This is a cyclical process!
The most important thing isn't which process you choose, but that you choose a process that works and stick with it. Any level of maintained patch management is better than none at all.
And to conclude: as usual, home-users tend to get off significantly easier.
BankInfoSecurity is a multi-media website specializing in coverage of information security, risk management, privacy and fraud:http://www.bankinfosecurity.com/interviews/inside-new-global-threat-report-i-2246
SANS, A Practical Methodology for Implementing a Patch Management Process:http://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-implementing-patch-management-process-1206
NIST, “Creating a Patch and Vulnerability Management Program”:http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf