Patching for all the right reasons

Why do we do it? We treat our computers like %*@!!, pushing and pulling them in directions they were never meant to go, all in the name of increased productivity on an ever shrinking dime. In return, the least we could do is defend them against viruses and worms and vulnerabilities. But we tend not to.

Not all of this is due to inattentive IT departments (though much is) because patching is more than just downloading and installing hotfixes. Properly done, patching requires a lot of commitment and thought. Regardless, the number of fixable vulnerabilities out there is staggering.

“I would say that the majority of the vulnerabilities that we are looking at today have patches that are available,” said Dan McCall, co-founder of Guardent Inc. in Waltham, Mass. That number is probably on the order of 80 to 90 per cent, he added. “Very few vulnerabilities out there in the wild…don’t have patches.”

Gartner Research calls it user security indifference, a case where the vast majority of successful attacks on computer systems exploit security weaknesses which are both known and patchable.

Patching is a huge problem and it is going to get worse, said Brian O’Higgins, CTO with Entrust Inc. in Ottawa. “And we are losing and falling further behind,” he said.

To reverse the trend, you first need to get a handle on what you are up against, and it ain’t a pretty sight. There are literally thousands and thousands of vulnerabilities on every known platform for pretty much every application.

“[Vulnerabilities] are growing exponentially, in fact the number of incidences are growing at three times the rate of Internet connected hosts so it is not just more vulnerable hosts getting attacked,” McCall said.

Since it takes only one hole to open a wedge in a corporate network, the starting point is figuring out exactly what systems and applications you are running, since defending the unknown is impossible.

Deciding what is at risk

Once the network and its attributes is properly mapped – and going outside for help in this is not a bad idea – it is time to prioritize the data and applications.

Peter de Jager, an IT consultant based in Brampton, Ont., said all corporate data has to be placed into a security level. Usually four levels provide enough latitude; going from top security at a need-to-know basis down to public access information.

“It is not the user who decides whether a patch is implemented, that is IT’s job,” de Jager said. “But the user can decide they want to move the data from one category to another and that may change whether a patch is needed.”

Now that all the data and technology is properly categorized and documented it is time to find what vulnerabilities are out there and how to patch them. Almost all vendors have subscription based patching and vulnerability services. When a new vulnerability and accompanying patch is available you will be e-mailed with a notice. This is a good starting point, but by no means the only precaution to take.

O’Higgins suggests also monitoring third-party Web sites that are devoted to security. There are dozens with update bulletins, of which CERT and SANS are just two. Signing up for these services is not a bad idea, since vulnerabilities are coming out at a rate of about 50 a week, O’Higgins said.

“Then patch based on mission critical prioritization,” McCall said. “If you don’t have the expert on staff, there are resources out there that you can tap into.

“If my IT job was on the line, I would not leave it up to a vendor to make sure that my stuff was going to work,” was McCall’s simple warning.

Rob Walters, director of CanCERT in Ottawa agrees. “It is a bit of a minefield; you can’t be slapping on patches just because they came out.”

The problem is that patches are rushed to market. That means not all of the bugs are out and often patches opens new holes while patching old ones.

“You need to test patches to make sure they are not going to [influence] your systems in other, unforeseen ways, increasing the security problem,” Walters said.

“[A patch] changes the run time of the code, [so] most IT people, especially anybody running a mission critical app, really wants to know what this stuff does,” McCall explained.

There are many other reasons not to patch. “Ask yourself, does the vulnerability actually apply to your use of the application?” Walters said. “Sometimes you are using it in a way that is not vulnerable, and there are cases where you will have other mechanisms in place that will reduce the vulnerability without the patches.”

Even though the pressure may be on to patch everything yesterday, careful planning and good corporate processes and policies are necessary for success.

Finally, once a patch is deemed necessary and properly tested against your applications then, and only then, should it be installed.

– With files from IDG News Service