Patches in Business

This week I’m looking at patch management, which is one of the most important cornerstones to computer security. My interest was sparked by an article based on a study that found that computers hooked up to the internet have a hacker attack run against them about every 39 seconds (see here). While the bulk of those attacks were password related (I may blog about this later), some of them included vulnerability attacks (which is the lower hanging fruit when it comes to small businesses and its relevance to you).

The need for patch management arises from fact that there is no such thing as ‘perfectly written code’, implying that software is distributed with bugs (or imperfections/problems) or worse, vulnerabilities, which are known or not yet known to the writers. With many programs containing thousands and even millions of lines of code, the complexity of the code is often hard to grasp. This problem is compounded by the fact that some code, such as that offered by Microsoft, is proprietary and closed source (which contributes to lock-in of the buyer). Of course, vulnerabilities vary in their impact, and depending on who discovers the vulnerability there are generally 2 significant paths:

1. The owners of the code realize the vulnerability, notify the public and assign it a risk level (subjective), then patch the code accordingly

2. Someone else discovers the vulnerability and either they report it to the owners for correction or use it as ammunition for exploitation

From 0-day to infinity

The term 0-day refers to the number of days between public advisory and release of an exploit. In the case of Microsoft, every 2^nd Tuesday of each month (referred to as Patch Tuesday) the folks in Redmond release a set of patches to fix the problems in its software (whether discovered by them or reported from another party). Through reverse engineering, code is then written to exploit the ‘critical’ vulnerabilities (some of which can grant root or administrator privileges), and are released the next day for sale (termed ‘Exploit Wednesday’). Apparently there is a sizeable black market for these 0-day exploits (some commanding prices upwards of $5,000 a pop; see pic in blog here) as hackers and legit security experts try to get a gain an advantage on companies scrambling to push the patch onto all of their systems.

Eventually as more systems become patched and you get further from 0-day, the exploit code or variant is incorporated into exploit suites such as Metasploit (www.metasploit.com) where beginners like you and I can use them by typing simple prompts, without understanding the underlying code, and best of all: its free and open source. A more advanced, but costly tool is Core Impact ($25k/yr per license!). Like all things, there are some people that are late-movers or never adopt the patches to their systems and leave themselves exposed. Some argue that Microsoft purposely releases vulnerable software and uses the update system to deter piracy, as only those who have authentic windows keys can obtain updates. With many people relying on pirated Windows OSs, it’s easy for a ‘wannabe hacker’ to do a lot of damage for many years to come.

Why businesses are slow or don’t patch ‘critical’ vulnerabilities

With the threat of 0-day exploits it is imperative for businesses to apply patches as soon as possible because doing so will close their window of exposure. But as I mentioned before, each vulnerability varies in its impact to the organization, and as a result some businesses choose not to patch right away. Why not? First off, some patches are non-critical meaning they have no security impact. For example, updating Windows Media Player to include new feature is considered an optional update, and for brevity I won’t consider these here. Three major reasons why businesses don’t patch critical vulnerabilities is 1) that the business doesn’t deem the threat as a significant risk to the business, 2) that there’s a lack of funds or resources necessary to deploy the updates, or 3) there are other impeding organizational considerations such as lost revenue, politics, and bureaucracy.

Lets say for example, there is a vulnerability whereby running a script a 3^rd party user can obtain administrator access to a web server through FTP (file transfer protocol). Once discovered, Microsoft would immediately assign this as a critical update because of the potential impact. But what if a business doesn’t have a web server and all its systems are configured to block FTP packets? Here, the critical update is not necessary to the business and managers may never patch the vulnerability or leave it as a last priority. On the other hand, lets assume a company has hundreds of computers worldwide, and the cost to manually patch all the systems is $1 million (IT administrator’s time doesn’t come cheap). If the company can afford the cost, manual updating hundreds of systems will still take weeks, so some companies have purchased automated patch management software (which is an in-demand IT solution that is often bundled with security consulting services; ex: patchlink.com), but even with these solutions businesses are slow to apply patches because doing so translates into downtime and potentially lost revenue or productivity.

Implications for Business

When it comes to vulnerabilities in software that has a wide user base, such as Microsoft Windows products, all users are affected, but businesses are particularly targeted because there is a greater potential reward. As with all business, security is also about risk, and one of the first steps is to know the value of what you are securing (the NSA has a methodology called IAM; see here for more info) Obviously, if something is extremely valuable like the systems that store patient records at a hospital, then those are the systems that you want to spend more of your money securing. There is a trade-off between cost and the confidence in security, and because security is something intangible many managers are initially reluctant to dedicate the necessary money or the resources. As the next generation manager, it is important for you to know what information is critical to the business, what threats are out there, and what solutions you can apply to mediate the risk. Even with a limited budget, patch management is an essential pillar to an information security plan as tools like metasploit can be easily obtained and utilized leaving your business at the mercy of a hacker.

And if get anything from this post, by now you should know to keep your software up to date, so do it now! :)

Hello World!

Hello Everyone and Welcome to my Blog!

Here I plan to write about the need for information security no matter what size of the organization. But before I go any further you’re probably wondering who I am and why you should read anything written by me. Well, currently I’m a senior at the Marshall School of Business with a concentration in information systems. During my summer internship last year, I worked as technology risk consultant and got to see the abilities of a business intelligence tool that analyzed and categorized threats as information passed through the network. I’ve also done cross disciplinary work at Viterbi School of Engineering where I took courses on web security, forensics, and am currently working with the Director of ITP on how to plan and implement an information security plan from the ground up, across an enterprise.

My interests with information security stem from childhood where until recently the focus of my academic pursuit was on construction of information system: whether that is a computer from components or using Oracle to design a relational database. This focus was great for a beginner and I took the perspective, like much of the world at the time, that as long as it worked we could put it in the closet and lock it up. Now that I am proficient at building, the focus has shifted toward breaking down and filling in the pieces that threaten to debase the edifice. (For example: how to gain unauthorized access to a system or integrating key policies and procedures in the security plan to give managers the authority to monitor and fire employees.)

I also have to admit that its pretty cool being able to see what people do and realizing the level of trust and risk they expose themselves to unknowingly. Of course, doing so responsibly…

This unknowing trust and risk leads to debacles in organizations all around us. For example, recently an unnamed school on the other side of town had their systems compromised for nearly a year which contained almost a million student, alumni, and faculty personal information including SSNs (link to Washington Post). Even the school I’m attending (USC), had its admission application database hacked using a common hacking technique called SQL injection. Allegedly, the hacker acted as a white hat, and notified USC officials, but the school still initiated a complaint with the FBI, and spent $140,000 notifying applicants of the breach (link to Daily Trojan). Furthermore, something as simple as a stolen laptop threatened millions of veterans’ and active military service members’ identities last May. Yet this is only the tip of the iceberg, as thousands of other stories don’t get media attention, and even more organizations are ticking time bombs who fail to see the value of security (particularly small to medium sized businesses).

As we become a society increasingly reliant on computers, the problems mentioned above and the need for security will only become more pronounced. In the future I plan to blog about ‘hacking attacks’ such as denial of service and SQL injection, privacy and protection measures such as business policy contracts and passwords, and perhaps the myth of the ‘Secure Mac’. Check back here often, as I continue to examine the world of information security: the business it creates, the damage that can be done, and how it all relates to you.