Introduction
The classic text book definition of risk is, “the probability of a threat agent exploiting vulnerability and the resulting business impact”. Vulnerability can be from applications, software’s, firewalls, people, process, location etc and what we're trying to see here is the vulnerability from software’s or applications and importance of patch management which in turn will result in effective risk management .
Effective Patch Management = Effective Software Vulnerability Management = Effective Risk Management
Background Information
National Vulnerability Database (NVD), reports 4,639 vulnerabilities (CVE) in the year 2010 and as per Secunia for the period 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420. Secunia says “A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010”. Over the years the vulnerabilities reported in 3rd party (non-Microsoft) programs are increasing with an alarming rate. Today patch management is critical not only for big enterprises, even a company with couple of servers has to spend some time in identifying and patching.
The high influence of vulnerabilities has resulted in systems constantly being threatened by new attacks and the level of damage caused by these attacks can be quite severe. Some of the worms and cyber attacks utilized the existing vulnerabilities are Operation Aurora, Stuxnet, Downadup/Conflicker, Code Red, BugBear, Nimda, Blaster, and MyDoom. The interesting fact was, each one of them attacked a known vulnerability for which a patch or other mitigation steps had already been released.
Patch and Vulnerability Management Process
As with any risk management process, there should be a systematic approach for patch and vulnerability management. This systematic approach should make sure all systems, software’s and applications are audited frequently to identify the vulnerabilities existing. The patch management life cycle should be continuous and a typical life cycle can be Auditing, Identifying Vulnerabilities, acquiring patch, testing and deploying.
Many organizations, especially those with extensive Microsoft platform deployments have developed elaborate processes for Patch Management to the Production environment. But the key for successful patch management these days are patching non Microsoft applications as well as patching test environments. How many organizations are spending time and resources on patching non Microsoft applications?
Solution
For effective patch management you have to use multiple solutions and depend on the budgets available and size of the organization you can go for Group Policy, WSUS, MBSA, Microsoft SMS, Secunia CSI (Corporate Software Inspector), GFI LANguard, Altris, IBM Tivoli etc
Conclusion
In IT Security, we talk a lot about having good firewalls, IDS, IPS, Antivirus and other security measures and most of the time we miss importance of effective patching process. Further majority of user’s and businesses alike still perceive Microsoft products to be the primary attack vector, largely ignoring third party programs and operating system. It goes without saying “Patching vulnerabilities provides better protection than thousands of signatures as it eliminates the root cause”.
Comments