There has been much security industry angst lately over some of the serious vulnerabilities introduced to the threat landscape by our friends at Apple, Adobe and Google. In particular, Adobe Flash and Acrobat have caused great concern and have focused the spotlight on applications as being a source of vulnerabilities. This is in opposition to the old school thinking that the operating system is the culprit and that all things bad come from Microsoft.
To many, this seems a little strange. How does something as apparently benign as Flash Player introduce a vulnerability that can be used to compromise the corporate network and data? While this seems a little cruel and unusual, the fact is, in recent years there have been more vulnerabilities introduced by seemingly harmless applications than were introduced by operating systems. Recent events are starting to get the enterprise security community to focus more on application patching, but there is still more that can be done. A recent SANS Institute study (http://www.sans.org/top-cyber-security-risks/?ref=top20#trends) demonstrates that application patching and remediation occur at a much slower pace than Operating System patching,thus indicating a lack of focus on application patching.
In general, there is no question that Patch Management is becoming as fundamental a control as Anti-Virus and Personal Firewall software. While fundamental and relatively mature, Patch Management does require more care and feeding. While AV and PFW are “set it and forget it” controls, Patch requires some thought and diligence. This is especially the case given the need to consider comprehensive application patching.
Firstly, don’t lose sight of why patching is important. Patching has become a fundamental security control, but needs to be part of a comprehensive Vulnerability Management strategy. As long as we live in the world that we have created, where almost every user has administrative privilege and where one in ten websites hosts malicious code, managing risk by removing known vulnerabilities is critical. To be effective in this there are some fundamentals that are key:
- Be informed - Understand the threat landscape. Read the blogs and various Response Team sites. This will help you understand the current threat profiles and allow you to focus your attention where it can be most effective.
- Be engaged - Understand the solution you have implemented to perform patching and its capabilities. Maximize your effectiveness by using the tool’s capabilities.
- Measure - Run reports on a regular basis that inform you on how you are doing. Patching has been shown to be difficult and there are many who have trusted a solution to perform, only to be compromised because the solution did not behave as expected.
- Pay Special Attention to Mobile Devices - Many devices do not frequently connect to the corporate network. This class of device needs special attention.
- Cloud-Based - There are many good cloud-based patch solutions. There is an inherent advantage in that they are Internet facing and will achieve better coverage of mobile and non-mobile devices. These services also offer added value in the form of access to subject matter expertise and built-in automation capabilities, as well as the ability to stay current on the technology front. This is in addition to other cloud solution advantages like zero implementation cost, quick turn up, no system sizing concerns and lower ongoing costs.
- Application and Operating System Support - The solution must have a comprehensive capability to patch operating system components as well as any applications that have the potential to cause vulnerability on the system.
- Content from Trusted and Current Sources - In the past four to five years, much has been achieved to standardize information about operating system and application vulnerabilities, and the leading solutions will use this content in addition to their homegrown content. Support for the Nation Vulnerability Database(NVD) and the Common Vulnerability Scoring System(CVSS) should be considered.
- Integration with Hardware and Software Inventory - Endpoint discovery is obviously critical. Having the patch solution tightly integrated with the discovery and inventory functions will help get better coverage and remediation performance.
- Prioritized Remediation based on Vulnerability Profile - Many of the leading solutions will prioritize patching based on the severity of vulnerability (using the CVSS scoring data for example). This becomes important when there are new vulnerabilities that require immediate remediation.
- Robust Reporting - If Windows Update Service has taught us anything about patching, it is that unless you can actually report on the success and failure of patching endpoints in a reasonable and comprehensive manner, a patching solution can actually lull you into a false sense of security. Patching is one of those things that requires routine checks to make sure Vulnerability Management goals are being met.
- Role Based, Self Service Portal - The ability to delegate functions to various enterprise roles is critical. Roles can be created to allow viewing of reports by more junior staff while changes to patching policy is restricted to qualified individuals.