About Us | Contact Us
View Cart

The Difference Between Patch and Vulnerability Management

By Vigilize | Thursday, January 18, 2018 - Leave a Comment

by Eric Kroeger and Jason Mikolanis


We are pleased to kick off our “guest author program” and are very excited and honored to present Eric Kroeger and Jason Mikolanis as our first guest authors.  Thank you Eric and Jason!!


A deeper dive . . .


This is the technical companion to the recent Jolley | Hadaway article on how to explain patch management to nontechnical managers.


2018 sure has started off with a bang!  Right out of the gates, we got Spectre and Meltdown, design flaws in the processor architecture of, oh let’s say, 90 percent of the systems in use today.  Not a bad start to the I.T. year.  This has led to a flood of firmware, operating system and application patches.  And there will certainly be many more to come.

Even a “small” financial institution could have hundreds of devices (servers, desktop PCs, phones, thin clients, tablets) running various operating systems and numerous applications, many of which are likely to be affected in some way by these, and other vulnerabilities.  Vulnerability Management is the process that we use to deal with this mess.

Last time, in the article titled “Understanding Patch Management”, Dan and Matt introduced a formula for Vulnerability Management stating that Vulnerability Management = Policy + Awareness + Prioritization + Patch Management + Testing + Tweaking.  More formally, Vulnerability Management can be defined as the process of identifying, classifying, remediating and tracking vulnerabilities within a computing environment.  It starts with knowing what we have in our network, determining what’s wrong with it, and prioritizing the remediation process based on risk to the organization.  In the perfect world, we would let our systems automatically apply all patches, as soon as they are released by the vendors.  Yeah, right!  Hundreds of systems x multiple applications x multiple patches = a recipe for disaster.  And, in the other perfect world, we would have the time (would probably take years) to test all of our patches for performance degradation, “harmful program interaction”, and lack of vendor support prior to roll out.  We know that this cannot happen.  Basically, it is a balancing act—an art, not a science.

It all starts when someone (sometimes a user, a software vendor or even a hacker) identifies a problem with a system or an application.  The vulnerability becomes publicly known in some way, and hopefully the vendor issues a fix for the problem.  The fix is not always made publicly available immediately.  In fact, some vulnerabilities can take weeks or months to fix.  With others, there may never be a way to technically fix the problem.  Vulnerability assessment tools are trained how to look at systems or devices, identify them, and then to check against a series of known issues with that type of system.  Is the IOS code the latest?  Is the firmware current?  Is the system properly configured?  If not, the vulnerability tool will build a list of problems and (in the case of most tools) offer suggestions on what to do to address the known vulnerabilities or weaknesses.

So, information technology groups must employ a process to 1) identify vulnerabilities with all systems, 2) assess the risks associated with applying (and not applying) fixes, 3) to apply patches in as much of a controlled environment as possible, 4) to track changes so that we know what has been fixed (and what could have caused problems), and 5) to document the process so that we can analyze and report on the program.   And, if we are able to wrap this process up neatly in a solid vulnerability management policy that our senior management team understands and approves, we are more likely to get cut some slack when things don’t go exactly as planned.

As we stated earlier–vulnerability management is much more of an art than a science.  With a constant barrage of threats (including zero-day), exploits and patches, having a “perfect” process is basically impossible.  Given this, vulnerability management has to be backed up by a defense-in-depth (multi-layer) information security strategy that gives your organization the best chance of keeping systems and data secure.    Vulnerability Management is just one piece to the puzzle.

To bring this down to “ground level”, we highly recommend that our clients maintain a detailed inventory of all systems and applications in their environments.  There are many tools that can help with this process, and they range from simple and reasonably priced for smaller networks (PDQ Inventory and SysAid) to comprehensive and somewhat expensive (SolarWinds and ConnectWise Automate) for larger environments.  When the chips are down, it really helps to know as much as possible about what you have in your environment.

We also highly recommend the use of a vulnerability assessment tool like Nessus (Tenable Software), Qualys (Qualys.com) or Metasploit (Rapid7).  In addition to helping to identify the systems on the network (desktops, printers, servers, firewalls, routers, switches, etc.), these tools can tell you what the weaknesses are and (often) how to fix them.  We prefer Nessus, and typically run automated (Nessus) scans on our networks as often as possible (at least monthly). We try to do both authenticated and unauthenticated scans to get as much information as possible.  Nessus lets us maintain an inventory of systems and scan history, which helps us track and validate the successful application of patches to all of the devices.  Nessus also helps to rank the vulnerabilities by criticality.  After the scan is complete, one of our IT specialists will analyze the results and start working on the remediation plan. The scan results will be used to determine what patches should be applied to various devices and in what order.  The remediation process will be carefully documented for problem solving in the coming days.  As we mentioned earlier, not all vulnerabilities can be fixed, either because of limited resources, because there might not be a solution yet, or perhaps the current “solution” could be worse than the problem it solves.  This was actually true in the cases of Meltdown and Spectre.  For some systems, there are no patches yet.  For others, the patches often cause significant performance degradation, and it is not clear if there are actually any known exploits yet.  Further, not all systems present the same risks.  Does a vulnerability in a network printer present the same risk as a problem with the iOS code on a firewall?     Probably not.

Either way, it is important to go about the process using a risk-based methodology and documenting the process carefully for tracking purposes.  Once the remediation process is complete, we recommend repeating the Nessus scan to validate the intended results and to look for new vulnerabilities (as they come out way too often).

Finally, we use a tracking process to keep tabs on the issues and remediation steps.  This report can be a spreadsheet that we manually update after each scan, or it can be a more sophisticated tracking mechanism that comes with the more expensive vulnerability assessment tools.  We highly recommend that reports are presented to an information security group or a tech steering committee on a monthly basis.  This helps the organization to monitor the value and effectiveness of the vulnerability management process.  When there is so much information in the news about data breaches, ransomware and corporate espionage, keeping your management team informed can go a long way toward building their confidence and having them on your side when something goes wrong.  And unfortunately, the odds are not in our favor.


About the authors:

Eric Kroeger and Jason Mikolanis are senior consultants with Virtual Innovation, Inc. (www.vi-mw.com).  Virtual Innovation serves its clients by helping make their systems more secure, available and recoverable. For more information, contact Eric Kroeger at 219-405-6533.


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]