This week I’m looking at patch management, which is one of the most important cornerstones to computer security. My interest was sparked by an article based on a study that found that computers hooked up to the internet have a hacker attack run against them about every 39 seconds (see here). While the bulk of those attacks were password related (I may blog about this later), some of them included vulnerability attacks (which is the lower hanging fruit when it comes to small businesses and its relevance to you).
The need for patch management arises from fact that there is no such thing as ‘perfectly written code’, implying that software is distributed with bugs (or imperfections/problems) or worse, vulnerabilities, which are known or not yet known to the writers. With many programs containing thousands and even millions of lines of code, the complexity of the code is often hard to grasp. This problem is compounded by the fact that some code, such as that offered by Microsoft, is proprietary and closed source (which contributes to lock-in of the buyer). Of course, vulnerabilities vary in their impact, and depending on who discovers the vulnerability there are generally 2 significant paths:
1. The owners of the code realize the vulnerability, notify the public and assign it a risk level (subjective), then patch the code accordingly
2. Someone else discovers the vulnerability and either they report it to the owners for correction or use it as ammunition for exploitation
From 0-day to infinity
The term 0-day refers to the number of days between public advisory and release of an exploit. In the case of Microsoft, every 2nd Tuesday of each month (referred to as Patch Tuesday) the folks in Redmond release a set of patches to fix the problems in its software (whether discovered by them or reported from another party). Through reverse engineering, code is then written to exploit the ‘critical’ vulnerabilities (some of which can grant root or administrator privileges), and are released the next day for sale (termed ‘Exploit Wednesday’). Apparently there is a sizeable black market for these 0-day exploits (some commanding prices upwards of $5,000 a pop; see pic in blog here) as hackers and legit security experts try to get a gain an advantage on companies scrambling to push the patch onto all of their systems.
Eventually as more systems become patched and you get further from 0-day, the exploit code or variant is incorporated into exploit suites such as Metasploit (www.metasploit.com) where beginners like you and I can use them by typing simple prompts, without understanding the underlying code, and best of all: its free and open source. A more advanced, but costly tool is Core Impact ($25k/yr per license!). Like all things, there are some people that are late-movers or never adopt the patches to their systems and leave themselves exposed. Some argue that Microsoft purposely releases vulnerable software and uses the update system to deter piracy, as only those who have authentic windows keys can obtain updates. With many people relying on pirated Windows OSs, it’s easy for a ‘wannabe hacker’ to do a lot of damage for many years to come.
Why businesses are slow or don’t patch ‘critical’ vulnerabilities
With the threat of 0-day exploits it is imperative for businesses to apply patches as soon as possible because doing so will close their window of exposure. But as I mentioned before, each vulnerability varies in its impact to the organization, and as a result some businesses choose not to patch right away. Why not? First off, some patches are non-critical meaning they have no security impact. For example, updating Windows Media Player to include new feature is considered an optional update, and for brevity I won’t consider these here. Three major reasons why businesses don’t patch critical vulnerabilities is 1) that the business doesn’t deem the threat as a significant risk to the business, 2) that there’s a lack of funds or resources necessary to deploy the updates, or 3) there are other impeding organizational considerations such as lost revenue, politics, and bureaucracy.
Lets say for example, there is a vulnerability whereby running a script a 3rd party user can obtain administrator access to a web server through FTP (file transfer protocol). Once discovered, Microsoft would immediately assign this as a critical update because of the potential impact. But what if a business doesn’t have a web server and all its systems are configured to block FTP packets? Here, the critical update is not necessary to the business and managers may never patch the vulnerability or leave it as a last priority. On the other hand, lets assume a company has hundreds of computers worldwide, and the cost to manually patch all the systems is $1 million (IT administrator’s time doesn’t come cheap). If the company can afford the cost, manual updating hundreds of systems will still take weeks, so some companies have purchased automated patch management software (which is an in-demand IT solution that is often bundled with security consulting services; ex: patchlink.com), but even with these solutions businesses are slow to apply patches because doing so translates into downtime and potentially lost revenue or productivity.
Implications for Business
When it comes to vulnerabilities in software that has a wide user base, such as Microsoft Windows products, all users are affected, but businesses are particularly targeted because there is a greater potential reward. As with all business, security is also about risk, and one of the first steps is to know the value of what you are securing (the NSA has a methodology called IAM; see here for more info) Obviously, if something is extremely valuable like the systems that store patient records at a hospital, then those are the systems that you want to spend more of your money securing. There is a trade-off between cost and the confidence in security, and because security is something intangible many managers are initially reluctant to dedicate the necessary money or the resources. As the next generation manager, it is important for you to know what information is critical to the business, what threats are out there, and what solutions you can apply to mediate the risk. Even with a limited budget, patch management is an essential pillar to an information security plan as tools like metasploit can be easily obtained and utilized leaving your business at the mercy of a hacker.
And if get anything from this post, by now you should know to keep your software up to date, so do it now! :)
3 comments:
As extra brownie points for reading my blog, I'll clue you in on a little known secret.
Since some people can't get windows updates due to piracy (not that anyone does it), you can get 100% legal and free Windows software through Marshall here:
http://msdn03.e-academy.com/elms/Storefront/Home.aspx?campus=usc_msbus
login through your marshall account and put the software in your cart (its free) upon check out they give you a product key and a little software that allows you to download the programs.
They even have Windows Vista Business Edition for FREE! That's putting your technology fee to use. Have fun and feel free to ask me any questions.
Hi Benson,
As we all know, patches are very common in the Windows OS environment due to its popularity and wide usage. Maybe this is why some and more people are switching into Macintosh. Here you can see several reasons why the Mac gets the better overall grade.
Businesses may have to consider the possibility of using an all Mac OS office to reduce the risk of getting hacked or information leakage.
It is also very interesting to know about the 0-day concept which can be exploited. I wonder if security breach happens more during that period of time.
Albert, I'm a little disappointed to hear you say such things... The business world thrives off of compatibility which usually are derived from standards wars and networks effects. By introducing a Mac into your business not only will you have problems getting files and programs (many programs weren't written for Mac) to work, but you will also have to incur added cost by developing and maintaining an additional environment.
Secondly, that link that you posted to is highly specific to that individual and is a qualitative analysis that is subject to bias (which obviously comes out in that post). He states as his thesis "I'm more secure using a Mac than XP." Look at his first point: "familiarity with security mechanisms". I'm sorry, but how does familiarity translate into security? It doesn't, which is why this analysis applies to only him (because OSX is like UNIX). In his analysis I think he points out 2 correct observations 1. that Windows defaults lacks security (but then again windows defaults were designed for ease of use and no smart business leaves the all the defaults on) and that malware percentages are higher for Windows XP. Lastly, businesses have solutions to the problems he mentions (ex: active directory to solve access controls and privileged managment), and although he may be secure because of Mac's niche market and exposure, these same forces inhibit many businesses from using a solely Mac platform.
Post a Comment