Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.
That lack of attention can cost. Recent stats from the Verizon Data Breach report showed that many of the most exploited vulnerabilities in 2014 were nearly a decade old, and some were even more ancient than that. Additional numbers from the NTT Group 2015 Global Threat Intelligence Report revealed that 76 percent of vulnerabilities they observed on enterprise networks in 2014 were two years old or more.
“One of the biggest challenges on enterprise networks is knowing the state of all the things you own,” said Martin Fisher, manager of IT security at Northside Hospital in Atlanta. “Enterprise networks are tens of thousands of devices and any of them can be the weak link in the chain. The technology to robustly manage and patch devices has not kept up with the vast quantities of new and exciting equipment coming out each year. That means that sometimes a vulnerability can go for a long time before it gets addressed.”
Unfortunately, many companies do a poor job identifying all their computing assets and understanding their value to the business, noted Jon Heimerl, senior security strategist at Solutionary, a NTT Group security company.
“Many organizations have older systems which are getting ignored as new, cool or more critical applications and services are fielded,” he said. “The longer we maintain legacy applications, or even less important applications and systems in our environments, the more likely those systems are to fall off a list of systems to be patched. It is important that organizations truly understand the systems which make up their operational environment, and the potential impact that each one of those systems can have on organizational security. This issue can be mitigated by performing thorough asset analysis and vulnerability tests to find available systems and associated open vulnerabilities.”
The sheer number of patches that get released makes it difficult for enterprises to keep up, Fisher noted.
“It’s not just Microsoft Patch Tuesday anymore,” he said. “All of the vendors from Adobe to Zotac are producing patch updates for their software and hardware. Each of these patches needs to be evaluated and assessed for how it should be prioritized for deployment. The challenge that most enterprises have is that there is no prioritization so everything from the mundane to the most dangerous all gets the same treatment.”
Enterprises should begin prioritizing patch efforts based on the risk particular vulnerabilities pose to critical assets, as well as their exploitability and age, said Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. Organizations should also adopt a maturity model for threat and vulnerability management, he said.
“In general, you will probably have to accept that you can’t try to patch every single vulnerability,” he said. “Instead, focus on the critical assets that are most important to the organization. Eliminate vulnerabilities that put those critical assets at risk.
Prioritizing vulnerabilities might require consolidating multiple vulnerability scanner feeds and analyzing issues based on known exploits, as well as simulating potential attack paths through the IT infrastructure, he added.
External information sources such as US-CERT TA15-119A – which has the top 30 attack vulnerabilities – can also be good sources of information, noted Wolfgang Kandek, CTO of Qualys. Once the top 30 are knocked off, focus on bugs that are known to have exploits, he advised.
“Attackers prefer environments where vulnerabilities stay unpatched for months or years at a time, allowing them to use their well tested exploit codes which have undergone significant QA over the years,” Kandek told SecurityWeek. “New exploits tend to be more temperamental, often crashing the target and alerting the user and IT departments.”
Beyond technology, improving the patch management process comes down to communication, said Fisher.
“If everyone from the CEO down understands why patching is so important and also realizes that the patching is being done in as silent and transparent a manner possible, it’s possible to do an amazing job without overly disturbing the business,” he said.