[BreachExchange] Good security begins with the endpoint in mind

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 4 15:45:54 EST 2016


http://www.computerworld.com/article/3038729/security/good-security-begins-with-the-endpoint-in-mind.html

Let's begin today with a quick quiz: What percentage of the PCs in your
business or organization have all of the required patches for the operating
system and application software? I'll bet you are tempted to say 100%,
since you probably assume that your workstations are set to get updates
automatically.

Here is an easier question: Does YOUR workstation have all of the available
patches? If you are like most, the answer to either question is no.

I have performed security assessments for a number of customers, many of
whom are quite security conscious, and I have yet to find a single customer
who has even a simple majority of workstations -- or endpoints as they are
often known -- patched properly. Why, you ask? Here are the common excuses
I find.

Ignorance is bliss -- assume the manufacturer/supplier is smart enough to
configure a new endpoint properly, so trust their judgment and don't worry
about it.

Our policy is law -- we have a written policy requiring that employees keep
their workstations patched and up-to-date, and we trust our people.

Automation rules -- we verify that all workstations are set for automatic
updates, and trust the software to take care of itself.

Unfortunately, none of the above is a reliable means of ensuring that
endpoints remain patched. You cannot rely on the initial software
installation to ensure that updates take place automatically. Automation,
even Microsoft Windows Update, probably the most proven automatic update
mechanism in the industry, breaks down with some frequency. Finally, since
updates usually require a reboot, when your employees are given control
they will often turn off automation and ignore prompts, so they can focus
on their work. It is hard to completely fault them for that.

If your organization uses Macs instead of Windows PCs, you are not immune
to patch issues. The Apple update process, while inherently automatic,
often requires some user intervention. As I noted above, employees can be
counted on to focus on their work, ignoring or delaying patches.
Additionally, Apple users often suffer from what I call "Mac euphoria
syndrome," which is the irrational belief that since Macs have
traditionally few suffered security issues, they don't have to worry.

Now, I will be the first to admit that this is a challenging problem for
all but the smallest companies. If your organization has three PCs, it is
easy enough to put a note on your calendar to check their update status
every week, and least for the operating system. By the time you reach 10
PCs, this becomes a major task. More than that, and either more personnel
or some automation is required to keep up.

Even if you have successfully addressed the operating system patch problem,
what about application software? At least with Windows, you can fairly
easily run Windows Update and check the patch status. Application software
patching is much more complicated, because many vendors are involved, each
with their own update mechanism.

I am confident that many of you reading this, faced with a problem you
cannot easily solve, are wondering if patch management is all that
important in the first place. Please don't talk yourself out of being
worried about this issue. A large percentage of PC infections with malware,
including ransomware (which is at the top of everyone's list these days),
result directly from the exploit of known vulnerabilities. We basically
invite the bad actors to attack us by ignoring the patches provided to
address problems.

A good indication of the severity of our patch problem is the fact that
many of the vulnerabilities being successfully exploited today were fixed
by patches released months or even years ago. SecurityWeek, in a February
2015 article citing Hewlett-Packard's Cyber Risk Report, said that 44% of
vulnerabilities exploited in 2014 involved vulnerabilities between two and
four years old. Do I have your attention yet?

Underscoring the importance of this issue is the fact that all of the major
compliance standards, including HIPAA, PCI DSS and SOX, reference patch
management. It is clear to the authoring organizations that patching is
critical to data security.

Action plan

Hopefully, you are now convinced of the importance of proper patch
management practices. Assuming so, here are some things you can do to
simplify the process.

Assign someone. Regardless of methodology, patch management will never be
done well unless someone is given responsibility for it. The assigned
individual(s) must check new PCs for proper patch management settings as
they are deployed, and frequently spot-check the settings and update status.

Have a policy and procedure. Arm the assigned individual(s) with a written
policy and procedure, defining how the patch management and monitoring
process will be carried out on a daily basis.

Log and verify results. The results of any patch checks should be logged,
with the log checked by someone else.

Automate. There are a variety of automation tools that can help ensure that
patches are deployed. Microsoft's Windows Server Update Service (WSUS) can
be a key part of the solution, along with asset management systems like
Dell KACE and ManageEngine.

Outsource. There are a variety of managed services providers that can
install a small tool on each PC, allowing them to manage and monitor the
deployment of patches. If you go this route, you will be better served with
a security specialist, rather than a general IT company that provides this
as one of a long list of services.

Bottom line: Even as many of the issues we face with information security
seem insurmountable, patch management is something we can do well. The
payoff from a robust patch management program is measurable improved
security -- well worth the investment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160304/ddb799cd/attachment-0001.html>


More information about the BreachExchange mailing list