Patch Management and Security

By Tom Schmidt

Earlier this month, Microsoft issued nine security fixes -- eight of them rated "critical" -- for its Windows operating system. For some network managers, this was no ordinary "Patch Tuesday." According to an alert posted on the SANS Internet Storm Center (ISC) Web site, the patch detailed in Microsoft Security Bulletin MS05-051 immediately caused problems for some users.

Johannes Ullrich, chief technology officer at the ISC, told Computerworld that the organization had received over two dozen reports from people saying they had run into problems when attempting to install the patch. Among the problems encountered: an inability to use the Search tool in the operating system's Start Menu, a blank screen upon log-in to the Windows Update site, and disruption of virus-updating tools.

Ullrich speculated that the size and complexity of the October patches -- the nine updates fixed a total of 14 problems -- could be one reason for the problems.

The episode underscored yet again the constant challenges enterprises face in keeping their critical systems protected. This article looks at why timely patch management is more important than ever before, as well as some best practices in patch management.

The scope of the challenge

For network managers, the latest round of patches signaled yet another race against the clock -- and against malicious code authors. And the stakes are higher than ever. That's because the time between the announcement of a vulnerability and the release of exploit code is now extremely short. Data for the first six months of 2005 indicates that the average vulnerability-to-exploit window is six days. This short window leaves organizations with less than a week to patch vulnerable systems. As recently as a few years ago, enterprises had months to patch their systems before an attack was unleashed.

Just how extensive is the problem? Consider these statistics:

• 1,862 new vulnerabilities were documented in the first half of 2005, the highest number since the survey started tracking vulnerabilities in six-month increments.
• The average patch-release time for the past six months was 54 days. This means that, on average, 48 days elapsed between the release of an exploit and the release of an associated patch.
• 97% of vulnerabilities were either moderately or highly severe.

A shift in the threat landscape

In today's networked computing environment, the failure to deploy patches promptly or correctly can cripple an organization, causing mass outages and security breaches. The devastation and costs that can result from an attack on vulnerable systems have made enterprises realize that they need to gain better control over their approach to patch management.

Of course, there is nothing new about the need to patch software. Software inherently contains bugs that need to be fixed, and software vendors have issued patches for decades in response. But the original intent -- to correct program flaws -- has been eclipsed by a torrent of urgent patches to address vulnerabilities that malicious code might exploit. The seriousness of this shift cannot be over-emphasized. As the latest edition of the Internet Security Threat Report observed, there has been a marked shift in the threat landscape.

The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Whereas traditional attack activity was motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit.

Moreover, patch management takes on a new level of urgency when hundreds or thousands of computers are at risk. The traditional method -- a physical visit to each machine -- is no longer feasible due to time and resource constraints. Many organizations find that their approach to patching is ineffective due to reliance on outmoded tools unable to handle the scale and complexity of large deployments -- particularly as users become increasingly mobile.

As network managers are well aware, regulatory compliance is also fueling the need for a tightly managed approach to patching. For example, in order to comply with new regulations such as Sarbanes-Oxley, executives and auditors are required to certify the security and integrity of their financial reporting systems.

It's little wonder, then, that a failure to patch is one of the greatest security risks an organization can face.

Best practices

Of course, patch management does not occur in a vacuum, but as part of the larger challenge of keeping systems running safely, consistently, and optimally. The overall goal should be to enhance "client resilience" for all devices, by helping to keep them secure, available, and compliant with corporate standards.

The generally accepted best practices for patch management are based on the "Patch Management Cycle," providing closed-loop control for identifying and eliminating vulnerabilities caused by missing patches. This cycle includes: vulnerability assessment, patch acquisition, testing, deployment, and tracking and reporting.

While each organization's approach will vary slightly, this structure provides a general framework for planning and evaluating a patch management strategy.

1. Vulnerability assessment

• Review current policies and procedures for patch management and risk mitigation
• Inventory existing hardware and software
• Identify vulnerabilities and classify risks

2. Patch acquisition

• Monitor the availability of software patches or updates
• Determine if patches are relevant to the organization
• Identify criticality of a patch to the IT environment
• Verify the patch's source and integrity

3. Testing

• Ensure that the patch will not damage or conflict with an existing solution or configuration
• Deploy the patch in a test environment that closely mirrors production
• Obtain approval to apply the patch

4. Deployment

• Communicate patch roll-out schedule to users
• Validate that the network can sustain the updates
• Deploy patches in a controlled and predictable fashion
• If appropriate, perform the rollout in tiers, with initial tier(s) involving less critical systems

5. Tracking & reporting

• Summarize findings
• Document success and failures of patch and vulnerability management
• Verify that each targeted machine has been successfully updated
• Archive patch scan data for auditing and to prove due diligence

Conclusion

Patch management must be seen in context as one element of a comprehensive security plan for enterprises, one that continuously addresses such questions as: Where are the threats coming from? Where are our vulnerabilities? Are our processes consistent and effective? What do we stand to lose? If disaster strikes, are we prepared to deal with it?

Today's IT organizations require a patch remediation solution that is fast, accurate, flexible, and easy to use. The challenge involves getting centralized, streamlined control over all patching activities, including scanning for missing patches, flexible grouping of target machines, downloading of required patches, automated packaging and deployment, and comprehensive reporting.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.