Patch management is one of the drudge jobs that CISOs have to assign their teams to do, but it is a basic hygiene tool that helps lower cyber security risk.
Belgium-based security researcher Koen Van Impe reminded infosec pros this week of that in a blog detailing the need to patch Apache Struts, an open source framework for creating Java web applications and used to create Web sites on Windows and Linux systems. The patch fixes a vulnerability, CVE 2017-5638, that allows attackers to execute random code by the web server.
The versions of Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 184.108.40.206 are vulnerable, so the patch recommended by Adobe is to either upgrade to Struts 2.3.32 or Struts 220.127.116.11.
Which brings us to proper patch management, As Van Impe notes, the days of overseeing the process with spreadsheets is long gone. Today enterprise administrators have a wide range of automated patch management solutions to chose from major vendors (Microsoft, IBM, BMC, Oracle) or mid-size vendors (SolarWinds, LANDesk, ManageEngine, Shavlik Technologies, RingMaster, GFI and Secunia).
As others have noted, Van Impe reminds admins that fixing — and validating — everything as soon as a patch is released isn’t practical considering all the other things the security team has to do. “Define what is important to your business and assess the potential impact of system downtime,” he advises.
“You should also take into account the actual severity of a vulnerability. There are a number of scoring mechanisms that you can use to calculate the severity, such as the Common Vulnerability Scoring System (CVSS). Every organization must determine its thresholds for prioritizing a patch cycle. An organization might declare, for example, that everything above CVSS 8.0 must be patched within one week.”
Patchmanagement.org, which runs a mailing list for security pros to discuss patch related issues, also points out in a guide to essentials that change management is vital to every stage of the patch management process. “As with all system modifications, patches and updates must be performed and tracked through the change management system. It is highly unlikely that an enterprise-scale patch management program can be successful without proper integration with the change management system and organization.”
For CISOs who don’t have a mature patch management processes I found two resources: Start with the U.S. National Institute for Standards and Technology (NIST) guide to enterprise patch management technologies. It has a useful section on questions admins should be asking to develop useful metrics, such as what is the minimum/average/maximum time to apply patches to X percentage of hosts, and what cost savings has the organization achieved through its patch management processes.
Then look at the SANS Institute’s framework for building a comprehensive enterprise patch management program. “A successful framework includes policy, asset inventory control, risk management, standardization, and metrics,” it points out.