Symantec's annual "Internet Security Threat Report" highlighted some major enterprise concerns, with one of the...

biggest being a lack of proper vulnerability patching. Specifically, the report stated that over the last three years, more than 75% of websites scanned by Symantec contained unpatched vulnerabilities. What should CISOs do to make security patch management a bigger priority for enterprises? Can CISOs work with IT administrators and website managers to tackle the problem, and if so, how?

Patching is a prevention measure that protects systems from unauthorized users, malware or errors that adversely affect normal processes. Products such as Microsoft Office, antivirus, network devices, Linux and Windows servers, midrange computing, and large mainframes all need security patching, program temporary fixes or updates. Updates are different from patches, but it's helpful to discuss them since some updates not only provide enhancements to products but may also eliminate errors and possible vulnerabilities. Security patching can be automated but many organizations choose to selectively patch due to limited time or system availability constraints. Selective security patching is typically done manually during scheduled system outages.

Some organizations are diligent about security patching on Patch Tuesdays, while others may still have patches to implement that are over three months old. Most organizations make every effort to maintain current patches within 30 days of patch notices. However, there are a significant number of companies that do not consider patching a priority until the vulnerability has been exploited and results in an outage or breach, or until it's required to attain a compliance with standards such as PCI DSS. Vulnerability scanners are helpful tools that can identify critical patches and provide enterprises with better patch management.

Security patching can and should be done by system administrators, but security teams may be in charge of monitoring critical security patches. Security teams may also request the testing and application of patches within the standard 30-day period. Where automatic patch updates are not used, patch implementation should be subject to the installation's change control procedures.

In addition to maintaining current patch levels, enterprise CISOs should take certain steps to strengthen the patching process, including:

  • Outline a vulnerabilities and patching policy that the enterprise uses to handle the identification of vulnerabilities, roles and responsibilities related to patching activities, sources for identifying vulnerabilities and the sources for identifying required patches;
  • Establish a patching committee of technical management and staff who are responsible for identifying vulnerabilities and ensuring that the requisite patches or mitigating actions are prioritized and applied;
  • Update the patch management software that automatically keep desktops, laptops and remote users up to date with the latest security patches and software updates;
  • Subscribe to an alerting service -- typically from vendors for software requiring patches -- that will supply information of new vulnerabilities and associated patches; and
  • If it is subject to PCI DSS compliance, make sure the enterprise meets PCI DSS requirement 6.2, which requires all system components and software to install applicable vendor-supplied security patches within one month of release.

Security patching can be tedious and seemingly unrewarding work, but when they're kept current, patches effectively -- and without fanfare -- prevent major vulnerabilities from being exploited. However, if security patching is neglected, eventually it will result in expensive interruptions that will require remediation resources after a breach or outage.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out this introduction to automated patch management software

Find out why software deployment tools and patching are critical to endpoint security

Discover the best combination of methods to make patch management easier

This was last published in November 2016

Dig Deeper on Business Management: Security Support and Executive Communications

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve



Find more PRO+ content and other member only offers, here.

Related Q&A from Mike O. Villegas

Is it possible to get a new CISO position after being fired?

CISO turnover is common after a security incident, but it's not the end of a career in security. Expert Mike O. Villegas discusses how to increase ...continue reading

What CISO certifications are the most important to have?

There are multitudes of cybersecurity certifications, but which are the best CISO certifications? Expert Mike O. Villegas discusses the most ...continue reading

Which are the best cybersecurity certifications for beginners?

There are an overwhelming number of cybersecurity certifications available, so which one should people just beginning their career start with? Expert...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

SearchSecurity: Security Wire Daily News

Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamai's chief security officer Andy Ellis has told The Register.

Speaking in the aftermath of the large DDoS against security journalist Brian Krebs, Ellis elaborated a little on the makeup of the botnet which took down Krebs' website, saying it was mostly made up of hacked Internet of Things devices.

“We've noticed a strong overlap between the attack … and one of the botnets that we have been working at in modelling,” Ellis told El Reg, as he named the Kaiten malware as one of the vectors involved in the Krebs attack.

Kaiten has long been known as a source of IRC-controlled DDoS attacks. While the original chiefly targeted routers, this latest version also “targets DVRs and some cameras” according to Ellis.

During the attack against Krebs, Akamai jettisoned him from their DDoS mitigation service with two hours' notice. Krebs was a pro bono customer and the sheer volume of traffic – 620Gbps – threatened to affect services for Akamai's paying clients. Krebs later said he didn't blame Akamai for taking the action they did, even though Google stepped in with its Project Shield service.

“This is a very concerning thing, looking at the prevalence of IoT and the ability for [the Krebs attackers] to throw around this volume of traffic,” Ellis said. “More research is being done on the adversary side to find out how to better take control of IoT devices, whether by means of a brute force attack using a known and common credential such as the [default] admin password, which gets them into a handful of routers out there, and then [the attackers start] leveraging the bandwidth of these end users.”

The chief problem for DDoS mitigation outfits trying to defend against IoT botnets is that with so many devices potentially falling under the control of miscreants, it is straightforward for the attacker's traffic to masquerade as legitimate web traffic.

“Compromised IoT devices … have the ability to source traffic from the same IP address as a legitimate user,” said Ellis, “which obviously gives the advantage that it stops [attackers] from being trivially filtered. I don't think I'm giving anything away when I say that when you're protecting a web server, any traffic coming in that's not related to web traffic is very deep and easy for you to drop. And the more that an adversary can look like a legitimate user, the more difficult it becomes, the more resources you have to expend to identify that that's an attacker and mitigating it.”

Culture change needed in IoT architecture

Part of the problem is the sheer difficulty of patching and updating IoT devices to take advantage of the latest vuln plugs.

Ellis said: “If you have an iPhone it auto updates in the background and you press OK and it takes care of it for you. We've become so used to that on the internet of general purpose computing devices that when we look at the Internet of Things – or as one of my colleagues likes to call it, Things on the Internet – there aren't devices built into that same robust infrastructure.”

Then he spelled out the painful upgrade process for most current IoT devices:

If I want to patch them, I need to go to the vendor website, hunt for my model of device, download an executable to my desktop and run it, when the executable will open a network hole and patch, upgrade the firmware on my device. You walk through that and to you and I that probably seems like, 'that's painful but at least I understood what it was I was doing'.

For most users that's a really challenging thing. They're not professional systems administrators. Why do we expect them to treat these devices the same way that a systems administrator treats enterprise-class routers?

He also said that IoT devices ought to be “deployed in a fashion that makes them automatically udpate and keep themselves secure all the time.”

As for the Krebs hack, does the widespread use of an IoT botnet mean that the whole concept of IoT security is fatally flawed? Do we need to trash it all and start over?

“We don't know for certain that every machine involved in this was IoT; it's quite possible that the attacker spliced together a botnet including traditionally compromised servers as well as these IoT devices,” Ellis concluded. “Hopefully we'll learn more as we dig through the data.” ®

Sponsored: Application managers: What’s keeping you up at night?

The Register - Security

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Threatpost | The first stop for security news

October will mark a major shift in the way Microsoft structures its Patch Tuesday release for many users and experts worry the new monthly Windows rollup will force companies to accept more risk in order to avoid compatibility issues.

Microsoft previously announced it would be changing the Patch Tuesday structure in October for Windows 7 and Windows 8.1 users to the so-called "Monthly Rollup." With this change, fewer patch bulletins will be bundled into separate update packages for Internet Explorer, the Windows platform and the .NET platform, removing the ability to pick and choose individual patches to apply. Microsoft claims this will create a simpler process and reduce update fragmentation.

The change is similar to the structure of patch updates for Windows 10, but according to Chris Goettl, product manager with Shavlik, the Windows rollup for older platforms will allow more flexibility for IT staff.

"Windows 10 has all updates in a cumulative bundle each month which is more strict than the servicing change being implemented on pre-Windows 10 systems next month.  At least on the earlier platforms, enterprises will be able to choose a security only bundle instead of the cumulative rollup for Internet Explorer and OS each month," Goettl told SearchSecurity. ".NET is also a separate rollup, unlike on Windows 10, so this change levels the field a bit but even with the change Windows 10 is still more restrictive."

Microsoft has had a mixed history with patch releases, requiring IT administrators to test patches to ensure there are no issues with compatibility and to ensure patches don't introduce new problems in software.

Tyler Reguly, manager of security research at Tripwire, pointed out that "administrators and security professionals have commented negatively on the Windows 10 model since it was released" and said the new Windows rollup for older platforms won't reduce the need for testing.

"Enterprises need to ensure they have large test labs setup with a full cross-section of their production environment available for testing as it is very unlikely that we'll see the remainder of the year pass without any negative interactions from these patches," Reguly told SearchSecurity.

However, Bobby Kuzma, system engineer at Core Security, said he isn't "terribly fond of forced updates without enterprise approval" such as those on Windows 10, where enterprises need to pay in order to have the option to delay patch installs, but Kuzma admitted there's "a huge hygiene and herd immunity benefit to enforcing updates automatically."

"Instead of having hundreds of possible combinations to test, they only need to test the one rollup. Being able to rely on consistent states of software deployment will help simplify troubleshooting, as well as reducing the vulnerability management burden," Kuzma told SearchSecurity. "Yes, there may be compatibility issues with certain applications, but I look at that largely as a vendor problem. One of the reasons that Microsoft has vulnerabilities that tend to crop up across multiple operating system versions is that they go to huge lengths to maintain compatibility, which often means porting buggy code from version to version because that's expected behavior."

But experts worry it will leave users with a choice of updating and risking compatibility issues or not updating at all. The Windows patch options for Windows 7 and 8.1 will allow users to delay a monthly rollup, but that rollup will stack on to the next month's package.

Goettl said the new structure could present more risk because while there will be fewer bulletins, there will be more CVEs per bulletin once the change is made.

"The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things don't break when these larger bundled security updates are pushed to systems," Goettl said. "If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction."

Amol Sarwate, director of Vulnerability Labs at Qualys, Inc., said it may not be bad for everyone.

"Monthly rollup is a good idea for most users, as it removes the burden of keeping track of which patches are needed and which ones are installed. As every month's rollup supersedes the previous month's rollup, it should be easy to keep track of whether you are up-to-date," Sarwate said. "But the disadvantage of the all-or-nothing approach is that if one patch has a stability or usability issue then it cannot be selectively forbidden. Another point to note is that previously shipped patches will not be included in the October roll-up and will instead be eventually rolled up in the upcoming year or so. This may create more work in the short run for administrators to keep track of which past [knowledge base] is rolled up in each month's update."

Next Steps

Learn more about breaking bad patch management with Windows Update for Business.

Find out how crowdsourced vulnerability patching could save us all.

Get info on trading Microsoft Patch Tuesday for Windows Update for Business.

SearchSecurity: Security Wire Daily News