The perils of bad patch management
- By William Jackson
- Sep 11, 2012
Again and again researchers have found that known vulnerabilities for which patches are available are among those most frequently targeted by attackers.
A recent study from Fortinet found that vulnerabilities discovered since 2010 are hardly being touched by hackers, while those in Windows XP -- now nearing its end of life -- are among the most popular. Symantec’s “Internet Security Threat Report” for 2011 describes a threat landscape in which known vulnerabilities are being exploited through new vectors as users failed to keep up with security updates from vendors.
“The old vulnerabilities still work,” said John Harrison, manager of Symantec’s security technology and response product group, and a contributor to the report.
Upgrade or die: Old vulnerabilities are prime targets
They work because despite advances in the detection and remediation of software flaws by researchers and vendors, updating software in a timely manner remains a challenging process. But, warns the National Institute of Standards and Technology in its updated Guide to Enterprise Patch Management, “if organizations do not overcome these challenges, they will be unable to patch systems effectively and efficiently, leading to easily preventable compromises.”
NIST describes the challenges and provides recommendations for an effective patch management program in a draft release of Special Publication 800-40, Rev. 3
Among the challenges are the variety of mechanisms for applying patches, different schemes for managing hosts and the task of maintaining an accurate inventory of software. But the biggest problem is prioritizing, testing and scheduling deployment of patches. Because of the volume of patches being issued and the need to test them to ensure that they don’t do more harm than good, getting them deployed in a timely manner can be difficult, if not impossible. Because of the mission-critical nature of some systems, administrators sometimes put availability above security and are reluctant to update the software.
NIST offers three broad recommendations for implementing an effective patch management program:
Deploy enterprise patch management tools in a phased approach. This allows issues to be addressed in small groups before the system is applied universally. Most organizations start with standardized desktop systems and single-platform server farms with similarly configured servers, and move from there to less standardized environments. There might be a residual population of legacy and non-standard systems that are not supported by tools that will have to be handled manually.
Use standard security techniques to reduce the risk of deploying patch management tools. Although patch management is a critical security process, deploying automated tools can introduce additional security risks that must be addressed. Potential problems include patches being altered, credentials being misused and exploitation of vulnerabilities in the tool itself. The tools should be tightly secured and kept up-to-date with encrypted network communications, and patches should be tested before deployment.
Balance security with requirements for usability and availability. Patches can sometimes “break” other applications, and reboots and restarts can interfere with operations. The possibility of such disruptions makes prioritizing patch deployment important. For low-risk vulnerabilities or high-value systems it might be better to spend more time testing and scheduling than to patch quickly. Downloading large patches for remote and mobile devices over low-bandwidth links can also be difficult or impractical, and solutions must be found that work in these environments.
The NIST guidelines provide a more detailed and complete list of recommendations for effective patch management.
Finally, metrics are necessary for determining the effectiveness of any security program, and the guidelines provide suggestions for measuring the implementation of the patch management program, its effectiveness and its impact.
William Jackson is freelance writer and the author of the CyberEye blog.