With so much malware out there targeting known vulnerabilities on unpatched systems, patch management is universally recognized as fundamental to information security. But in recent penetration tests, our vulnerability assessments have been turning up a lot of unpatched servers.
In many cases, patch files are sitting there on the server waiting to be applied. For example, the Critical patch MS14-066, which resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package within Windows, keeps turning up as unapplied. This leaves a server open to remote code execution if an attacker sends Windows some appropriately crafted packets.
Why is this problem seemingly so prevalent? What seems to be the “missing link” in these companies’ patch management programs is patch verification (a.k.a. “audit and assessment”). It’s great if you’re prioritizing and automatically scheduling patches. But you also need to make sure they’re actually being applied and that all is well afterwards.
Most organizations are aware of the need to test whether production applications and server environments are functioning as expected after patching. But—if our pen testing is any indication—many firms are neglecting to verify that patching actually took place.
To verify patching, at a minimum you need to check the logs of your patch management application, as well as spot-check individual servers to make sure the patch isn’t still sitting there. Of course, no patch management program is going to be successful if you don’t know what servers you have and which ones each patch applies to.
Using a vulnerability assessment tool also helps cross-check your patch management program, but this is time-consuming and requires special skills. The advantage of vulnerability assessment as an adjunct to patch management is that it tests your environment from the “other side,” the same way attackers are testing it.
If you’re not patching your servers proactively and effectively, your organization is open to data loss and business disruption from a host of exploits from zero day attacks to denial of service attacks to sophisticated malware and viruses. Likewise, even the most sophisticated patch management application on the market, which can help you automate and streamline whatever form(s) of patch verification you choose to adopt, is cheap compared to the financial impact of just one breach.
To talk over how vulnerability assessment and patch management can help your company mitigate information security risk, contact Pivot Point Security.