Today we have another guest post from our friends at GFI – this time on patch management (which unfortunately is one of the reasons that so many pentests are so easy to succeed in…)
Every organization uses several types of software such as operating systems, servers, clients and many other third party applications. Every software package is a complicated piece of engineering. Programs are created from hundreds of thousands to millions of lines of code and each line of code is further converted by the compiler into many low level instructions that a computer needs to execute. With all this complexity, it is not surprising that issues will arise affecting the smooth running of the system on which the software is installed.
Be it a coding mishap, a combination of inputs that the developer didn’t foresee, or even an unexpected interaction between the billions of low level instructions, an application can have a vulnerability that would allow someone to maliciously exploit in order to perform some undesired action.
Malicious hackers are constantly looking for these software deficiencies both for fame and profit. A zero-day vulnerability in a popular application may be sold for hundreds of thousands of dollars on the black market. Such vulnerabilities could be used to infect a large number of computers before vendors get a chance to detect and address the problem.
At the other end of the spectrum, security researchers are in a daily race with malicious hackers to find vulnerabilities themselves. When they do come across these vulnerabilities, vendors are notified and given time to fix the issue before making their findings public.
How does all this affect your need for patch management?
Malware like the Code Red worm and Sasser exploited software vulnerabilities to deliver their malicious payload, therefore failing to patch software would leave your systems open to such attacks. Payloads can be anything from BotNet software which will waste bandwidth and computer resources to send spam, to spyware software designed to steal credentials, financial details and intellectual property.
While security researchers play an important role in discovering vulnerabilities, disclosing them to the public indirectly increases the risk for organizations because even though a patch will be available, not all organizations are organized and address the problem immediately.
Hackers are aware that many IT admins take their time to patch their systems, sometimes waiting months to deploy a released patch. Code Red is a perfect example. While Code Red exploited a vulnerability for which a patch had been available for over a month, countless systems were compromised by the malware because many had not yet deployed the critical patch.
One also needs to take a holistic approach to patch management. As in all security cases, it is the weakest link in the system that is exploited. An attacker does not need to compromise all your systems’ vulnerabilities, they only need to compromise one vulnerability to get access to your systems. That is why selective patch management is not recommended. While operating system patch management is essential and easiest to perform, that alone will not protect you against vulnerabilities in third-party products such as a PDF file exploiting a vulnerability in a PDF reader.
It is obviously preferable to do operating system patch management exclusively rather than having no patch management at all, but the more applications you keep up to date the more effective your security will be.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.
Find out more about what should be included in your patch management.