Too many of my client organizations find themselves in a quandary. Patching systems can be incredibly time-consuming and affect the stability of critical hosts. But not patching these systems can leave the critical hosts in a state ripe for compromise. While most organizations develop a strategy for applying security patches, there are often long periods where these critical hosts are not protected against security flaws. This may be due to scheduling or, more commonly, poor management processes that allow patches to be missed or 'broken.'
Scanning for vulnerabilities
When conducting technical security assessments, many of the vulnerabilities are identified by the common vulnerability scanner tools. Often I am required to deduce why a particular vulnerability exists when security flaws for that service, that were publicly disclosed later, are not present on the host. The most common causes are often that the security patching was not applied in the correct sequence or was simply missed.
It is surprising how few organizations conduct any internal vulnerability scanning procedures themselves. Doing so, after rolling out a security update to a number of critical hosts, is just good sense. As an added level of precaution, I recommend that vulnerability scans are also conducted on a weekly basis, especially in environments undergoing regular change. This provides a quick and easy mechanism to identify hosts that have lost some of their patching security, such as systems that have been recently restored from backup or had new application components installed that included older versions of shared libraries and services.
While many of the common vulnerability scanners are excellent at finding vulnerabilities and providing advice on which security patches you need to apply, don't assume that they will identify all the security flaws and missing patches. The better vulnerability scanners can find in excess of 1,000 of the most common or dangerous security flaws. However, don't be fooled into thinking that running two vulnerability scanners will potentially detect 2,000 security flaws – a best-case scenario will see you detecting an additional 10 percent with the second scanner.
In the assessments that I participate in, I regularly use dozens of tools against each host and verify the majority of findings manually. Following the use of the tools, a phase of manual inspection of the service, and referring to specialist vulnerability databases, is required. The purpose here is to check that the latest security patches (and secure configuration options) have been applied, based upon the latest advisories and research.
I would strongly recommend that the personnel responsible for the security and patching of corporate hosts also subscribe to these vulnerability databases and join the various mailing lists to ensure that they receive immediate notification of disclosed security flaws and releases of patches. Access to this level of information is very important; not many people are aware of the volume of alerts and vulnerabilities discovered each year. For example, ISS's X-Force Global Threat Operations Center reported 644 new vulnerabilities alone in the last quarter of 2002.
Another problem I regularly encounter is the introduction of services to hosts that the organization didn't know they had. Consequently patches to these have never been applied.
Patching in a controlled manner
An interesting development in the world of patching is the development of 'virtual' patching. As defensive technologies move from intrusion detection systems (IDS) to intrusion prevention systems (IPS) and suppliers increase their turn-around time for producing attack signatures, organizations will be able to use their IPS to protect against attacks targeting unpatched services. This will provide valuable breathing space, allowing them to schedule and test the application of security patches in a controlled manner.
Patching hosts will always be necessary, but too often it goes wrong. It is vital that the appropriate steps and checks are included in an organization's patching strategy. It only takes one missed, or incorrectly patched service on a critical host to lead to an embarrassing system compromise. How robust is your patching strategy? n
Gunter Ollmann is manager of X-Force Security Assessment Services EMEA for Internet Security Systems (www.iss.net)
Tips for managing host patching levels
- Carefully review the contents of the security patch (update, hot fix, service pack, etc.) and ensure that, when applying the security patches, they are applied in the correct order.
- Use the tools and scripts from the operating system or application vendors (e.g. Microsoft's Windows Update) to audit the local host to check that all the security patches have been applied.
- Utilize a good vulnerability scanning tool to check the host and ensure that the security patching was applied successfully, and has not opened any previously removed vulnerabilities.
- Ensure that you maintain a regular (i.e. weekly) vulnerability scanning procedure to rapidly identify any new security flaws that may arise from missed and late security patches, or irregular procedures such as system backup restorations.
- Subscribe to the professional vulnerability databases and security mailing lists to ensure that notification of new security flaws and patches are not missed.
- Use your IDS or IPS to good effect, and ensure that it can cover you between scheduled patching intervals.