Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.
That lack of attention can cost. Recent stats from the Verizon Data Breach report showed that many of the most exploited vulnerabilities in 2014 were nearly a decade old, and some were even more ancient than that. Additional numbers from the NTT Group 2015 Global Threat Intelligence Report revealed that 76 percent of vulnerabilities they observed on enterprise networks in 2014 were two years old or more.
“One of the biggest challenges on enterprise networks is knowing the state of all the things you own,” said Martin Fisher, manager of IT security at Northside Hospital in Atlanta. “Enterprise networks are tens of thousands of devices and any of them can be the weak link in the chain. The technology to robustly manage and patch devices has not kept up with the vast quantities of new and exciting equipment coming out each year. That means that sometimes a vulnerability can go for a long time before it gets addressed.”
Unfortunately, many companies do a poor job identifying all their computing assets and understanding their value to the business, noted Jon Heimerl, senior security strategist at Solutionary, a NTT Group security company.
“Many organizations have older systems which are getting ignored as new, cool or more critical applications and services are fielded,” he said. “The longer we maintain legacy applications, or even less important applications and systems in our environments, the more likely those systems are to fall off a list of systems to be patched. It is important that organizations truly understand the systems which make up their operational environment, and the potential impact that each one of those systems can have on organizational security. This issue can be mitigated by performing thorough asset analysis and vulnerability tests to find available systems and associated open vulnerabilities.”
The sheer number of patches that get released makes it difficult for enterprises to keep up, Fisher noted.
“It’s not just Microsoft Patch Tuesday anymore,” he said. “All of the vendors from Adobe to Zotac are producing patch updates for their software and hardware. Each of these patches needs to be evaluated and assessed for how it should be prioritized for deployment. The challenge that most enterprises have is that there is no prioritization so everything from the mundane to the most dangerous all gets the same treatment.”
Enterprises should begin prioritizing patch efforts based on the risk particular vulnerabilities pose to critical assets, as well as their exploitability and age, said Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. Organizations should also adopt a maturity model for threat and vulnerability management, he said.
“In general, you will probably have to accept that you can’t try to patch every single vulnerability,” he said. “Instead, focus on the critical assets that are most important to the organization. Eliminate vulnerabilities that put those critical assets at risk.
Prioritizing vulnerabilities might require consolidating multiple vulnerability scanner feeds and analyzing issues based on known exploits, as well as simulating potential attack paths through the IT infrastructure, he added.
External information sources such as US-CERT TA15-119A – which has the top 30 attack vulnerabilities – can also be good sources of information, noted Wolfgang Kandek, CTO of Qualys. Once the top 30 are knocked off, focus on bugs that are known to have exploits, he advised.
“Attackers prefer environments where vulnerabilities stay unpatched for months or years at a time, allowing them to use their well tested exploit codes which have undergone significant QA over the years,” Kandek told SecurityWeek. “New exploits tend to be more temperamental, often crashing the target and alerting the user and IT departments.”
Beyond technology, improving the patch management process comes down to communication, said Fisher.
“If everyone from the CEO down understands why patching is so important and also realizes that the patching is being done in as silent and transparent a manner possible, it’s possible to do an amazing job without overly disturbing the business,” he said.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
