Patching – Leaving the Door Wide Open
Written By Andy Pantelli
It’s Security 101: keep your systems updated with the latest security patches. As security professionals it’s probably the first piece of advice you ever gave. This was especially true for the Windows Operating System (OS) way back in time when cyber criminals were — depending on how you look at it — perhaps not as sophisticated, smart or just plain sneaky as they are today.
The attack vector was a big attack surface around the time of Windows Millennium Edition. Professionals were constantly emphasising the importance of keeping the OS patched with the latest Microsoft Updates. Of course, back in those days, the Apple Mac user base would look down in smug satisfaction with the belief that their chosen OS was ‘bullet proof’ giving them immunity from such trivialities as Security. That turned out to be a false sense of security, but let’s leave the whole Windows vs Mac debate for another time & place…
The only user group that could claim some kind of moral high ground were the users of
Linus Torvalds Operating System. Whilst Linux is by no means immune to the need of Patching, by its very nature is inherently more secure that the Operating Systems primarily aimed at the domestic market and its user base. The point I’m making, albeit rather long-winded way is that Patching has always been the first line of defence keeping systems secure.
The security landscape has evolved since those times, but the one constant that remains true is that Patching remains important, and the first line of defence. Now that we have established and understood the importance of keeping our systems Patched we’ll now look at some of the challenges we face. To put this into some context, around the time of Windows Millennium the Mitre ATT&CK database numbered around 1000 CVEs. As of 2021 this had grown to over 20,000. Clearly this presents a logistical nightmare for security teams in keeping up to date with the latest threats to our infrastructure, endpoints, devices & applications.
Vulnerability Management vs Vulnerability Patching
Understanding how vulnerability management differs from vulnerability patching is crucial in constructing and defining a policy to ensure we keep our critical operating systems, applications & infrastructure secured.
Vulnerability management is knowing what to patch, how to rollout updates, which patches to apply and in what order and when. Most enterprises lack a mature service catalogue, if at all. Who needs asset management, right?
Knowing what you are protecting then identifying the owners responsible for patching becomes the next obstacle. What should be a simple process is sometimes made difficult just by operational organisation & procedures. For example, consider a Windows Server VM running Active Directory & DNS Services but also provides radius for the enterprise Wi-Fi authentications. Here we have a typical use case of various teams having services running on a single server. Potentially the VM team would have an interest, equally so would the Windows Server Team and the Network team. Just to add into the mix the DNS service is being used for GSLB by the Citrix team.
So, in this example just who would be responsible for patching the server? Once we’ve decided who should be patching, we then have to juggle each part of the business needs for when to schedule the update. Then finally we need to put this through change management who insist that the patch is fully tested before rolling out into production. Scale this exponentially across a large estate and you see the challenge. Although, this team structure may not be applicable in small businesses that may not have such a developed organisational structure this is certainly a typical environment in large national or multinational enterprise with structured DevOps teams.
Vulnerability patching on the other hand, as we have already stated, is challenged by not having full visibility into devices or applications. Patching is the actual process of updating vendor software, or hardware to fix identified flaws. Having a vulnerability scanner is essential to help us identify these flaws utilising frequent scans to help identify vulnerabilities. Options include online or on-premises solutions. Assisting with this are EDR solutions that can help us manage endpoints proactively. This should include all our systems, software, applications and network infrastructure. Gaps in visibility can occur when new servers, endpoints or devices are deployed which the scanner is not aware of. Making sure we don’t miss these should be included in the Vulnerability Management policy and within the patching policy.
Fortunately, many tools exist to help security teams apply patches such as Microsoft Systems Configuration Manager (SCCM) – since renamed Microsoft Endpoint Configuration Manager. Alongside this many organisations deploy WSUS which is the Windows Server Update Service. Assisting Network configurations Solar Winds NCM provides continuous monitoring and real-time change detection. Looking at Patching from a vendor-agnostic viewpoint crucially Patching should be scheduled with High or Critical vulnerabilities Patched outside of regular schedules to ensure the best possible protection. Understanding the risk of applying the latest Patch as opposed to not doing so may involve discussions with various stakeholders, for example, the Risk team, Networks or Security Operations and should be considered in the policy.
Patching is not just about applying the updates, the Vulnerability Management Policy is equally as important, if not more so. Without a clearly defined process, updating our systems can be confused, disjointed or mismanaged. This part of securing our systems is too important not to be considered a priority. As adversaries become more sophisticated, we must ensure that our Vulnerability Management and Vulnerability Patching processes and procedures are of the best possible standard. Organisational structures are a key factor in the process with smaller, more agile teams taking on the whole responsibility themselves. With larger, more fragmented organisations Patching becomes a major challenge. Despite being “Security 101”, it can quite easily become “Security 999”.