Spring cleaning is traditionally an activity undertaken as the seasons change in the home. But we in the business world would be well advised to take a leaf out of this particular book and expand the spring cleaning to our computers and servers.
The recent Cisco Annual Security Report (CASR) highlighted that one of the biggest threats to business is poor patching discipline. Many well-known vulnerabilities in products and software are simply not being patched by in-house teams.
For example, Heartbleed, the recent dangerous security flaw which was massive news right across the world’s media outlets, was created to exploit OpenSSL. Yet 56 percent of all OpenSSL versions are older than 56 months and are therefore still vulnerable to its effects. And if something so well publicized is still out there, what hope is there for the lesser known vulnerabilities and threats?
The Cisco ASR also highlighted that last year, 1 percent of high-urgency common vulnerabilities and exposure (CVE) alerts were actively exploited.
This means organizations must prioritize and patch just 1 percent of all vulnerabilities. But sadly they don’t seem to be doing it.
The simple fact is that patches to protect against most vulnerabilities already exist and so it is relatively easy to protect against these common and well-known threats, (provided you have the discipline and processes to do so). If we were better at patching vulnerabilities, 99.9% of the threats that compromise networks around the world would go away. For all the media interest in the zero-day exploits (i.e. previously unknown threats), they remain very rare as the cybercriminal gangs who dominate online crime know that they don’t need to exploit new vulnerabilities, the older ones will usually do the job.
It is like fencing in a flock of sheep, but leaving the gate open to the wolf prowling around on the outside. He doesn’t have to scale the walls, or find a hole in the fencing; he can come in via the main door. Simple.
Greater use of automatic updating may be one solution to the outdated software problem. Cisco security research teams compiling the CASR examined data from devices that were connected online and using either the Chrome or Internet Explorer browser. The data showed that 64 percent of Chrome requests originate from the latest version of that browser. As for Internet Explorer users, just 10 percent of requests originated from the latest version.
It seems that the Chrome automated update system may be more successful in ensuring that as many users as possible have the most recent software version, and hence a higher level of protection.
The CASR results clearly indicate that software that automatically installs its own updates seems to have an advantage in creating a safer security framework. To overcome the guaranteed eventual compromise that results from manual update processes, it may be time for organizations to accept the risk of occasional failure and incompatibility that automatic updates represent.
A comprehensive patch management process should be a major component to protecting the confidentiality, integrity, and availability of information on computing devices and the data they store or transmit. Patch management is not always a simple task, as most organizations have a variety of platforms and devices from fixed to mobile, along with other challenges that make patching these components very difficult.
The best approach for a successful patch management process is first to discover all assets that reside on the network. Organizations should create and maintain an up-to-date inventory list of all computing devices in the environment. With this updated list, an organization can determine which operating systems, software, and existing patches are present on devices in the network, aiding development of a baseline policy. The next step in the patch management process is to determine if there are any unpatched devices in the environment and perform a risk analysis for the missing patches. There are various tools on the market that can assist in scanning the environment to perform a detailed analysis of the infrastructure.
After this is all done, remediation should be performed to bring all systems up to date with the latest patches, but not before creating a change management process to help with versioning control and documentation. Once the remediation is complete and all systems are using the latest software versions, the organization will have a new baseline to start from to continue the cycle of patch management. A minimum baseline policy with the latest patches is a good place to start to keep your patch management process running smoothly and efficiently throughout this continuous lifecycle.
So while you are in the spring cleaning mood, don’t forget to spring clean your network and check what your patching status is like and how many assets you have.