|
While we’ve all grown accustomed to weekly and sometimes daily announcements of vulnerabilities, there are also some disadvantages to relying on vendor released patches for securing network systems. Patch releases usually don’t cover all current security vulnerabilities, and patches from the major software vendors don’t necessarily mean that there are not other ways to exploit these vulnerabilities. We will outline why vulnerability patching needs to be part of a layered security initiative that helps balance an organization’s risk.
As we’ve seen, security risks can fall into that grey area of “misuse” or not actually a true vulnerability in the operating system. Software not directly part of the operating system and administration tools themselves can aid in masking problems. Security tools themselves can also contain flaws that may mask or hide existing security issues.
Single vulnerabilities are typically the easiest to manage. Change the devices configuration or apply a software fix and the vulnerability is taken care of. Blended threats, such as those vulnerabilities that may not be directly exploitable until the attacker has direct access to device, must be closely managed as well. These blended threats can be even more dangerous because the immediate impact may not be apparent. The initial compromise of a device may leave behind dormant code to be executed at some later time, even after the device has been remediated.
To balance those risks, organizations should deploy patching practices as part of an overall security program. Security best practices recommend following a layered approach to security, one that provides for checks and balances and does not rely on any single method or tool for maintaining security. A good way to define layered security is a security strategy that has defensive, proactive and compliance elements.
Beyond just relying on patches to solve all software security issues, a well executed and comprehensive vulnerability management program gives the security team a proactive view into security vulnerabilities across the spectrum: those that can be patched, those that require configuration or change management, and those that must be managed until a patch becomes available.
Despite what the security and patching vendors might tell you, vulnerability management is not a technology, but an organizational process that is driven by the security team. Assessing the organization’s vulnerability to exploits and determining if the proper security remediation steps (firewall policies, endpoint security, network access control, patch application, and verification testing) are put into place are crucial.
Tracking available vulnerabilities allows the security team to determine interim changes, such as the access control list (ACL) on a router, could effectively prevent or limit the effects of an un-patchable vulnerability.
A truly effective vulnerability management program must also account for devices outside the purview of the IT organization. These may be servers that are managed and maintained by non-IT departments, such as when someone in finance or radiology manages their own files servers and applications. Vendor equipment running commonly available operating systems and file server software can also pose the risk of compromise and become the launch pad for attacks inside the network perimeter.
In addition, network access control (NAC) technologies can add an additional layer of security to a good vulnerability management program. NAC can ensure that end user devices connecting to the network are quarantined before being allowed to access full network resources. Endpoint devices can be checked for the up-to-date security patches, anti-virus and threatening software such as spyware, P2P, and messaging programs. This is especially valuable for assessing the security posture of unmanaged endpoint devices, those whose security is not managed by the internal security organization. Unmanaged or foreign endpoints are usually thought of as the computer of a visitor, contractor or a work-at-home employee.
Vulnerability management and endpoint network access control are excellent additions to traditional network security approaches such as perimeter firewalls and intrusion detection systems. Managing the gaps, which are the less known vulnerabilities that don’t exactly make the front pages of the latest IT trade magazine, becomes more palatable when automated vulnerability management processes can drive the patching processes.
This allows security teams to make good decisions about where gap engineering should be performed and how best to protect the network when patches are not immediately available. Recognizing that patching doesn’t solve all of our software security vulnerabilities is the first step understanding where latent threats may exist and how best to mitigate the risks they pose.
In conclusion, even when a security vulnerability is contained within the realm of one software manufacture, it doesn’t mean the problem will be fixed right away. Part of what every software vendor does is perform triage on newly reported vulnerabilities; assessing their potential damage, how easily they can spread, do they require actions by an end user to become effective or proliferate, and is there code in the wild utilizing this exploit.
It would be all too easy to fall back on vendor patches as a primary means to manage security risks. While this certainly is important to ultimately resolving the core security vulnerability in software, not every problem can be solved via a patch from Microsoft, Oracle, or another major software supplier.
About the Author
Mitchell Ashley is the Chief Technology Officer (CTO) and VP of Customer Experience at StillSecure. He can be reached at mashley@stillsecure.com or (303) 881-9353.
Go Back
|
