Recent studies show that a large portion of cybercrime could be prevented by more proactive patch management. While zero-day vulnerabilities are a frequent focus of cyber news and threat awareness, in reality it is the period between when a vulnerability is discovered and when the patch is released and widely deployed is when larger amounts of cybercrime attacks happen.1,2 The recent announcement of Microsoft’s Internet Explorer versions 6-11 vulnerability to remote code execution may trigger a larger number of attacks.3 While Microsoft works to develop a patch, the vulnerability is left wide open for any actors to try to compromise. Until the patch is deployed and installed by end users, this known unpatched vulnerability leaves little analysis work for cyber criminals. It is critical that industry and government decision makers approach this problem proactively to shorten the vulnerability window between patch issuance and deployment phases.
Patch management is one of the most important risk management procedures for organizations. Challenges faced by organizations implementing patch management consist of the following: lack of understanding how to patch, lack of personnel, fear of potential business impacts, network-bandwidth limitations, lack of manageability of large or complex system architecture, long remediation times if the patch breaks current system needs, scalability issues, and exposure over the vast different patching needs.4
Awareness of the risk of frequently discovered vulnerabilities and availability of patches to remediate those risks is the heart of network security. Patches can help to prevent network hacks, malware infections, and even simple human error. Patch management affects the following: BIOS, device drivers, device BIOS, operating system, middleware, application patches, and third-party software. Organization must patch all affected systems. Patching only some of the above means you are only partially secured. 5
Solutionary, an NTT Group security program, analyzed 300 million events in the past decade. The analysis found that 50 percent of identified exploitable vulnerabilities were publicly known for a minimum of 2 years. Moreover, 59 percent of all vulnerabilities identified were due to a failure to apply the associated patch (see Figure 1). Organizations’ failure to address identified vulnerabilities may be caused by many factors. Organizations may be unaware of patches, lack the capability to install fixes on their systems, be uncertain if a vulnerability applies to their systems; or they simply do not know the importance of addressing such vulnerabilities. Of the analyzed organizations, 77% did not have an incident response team or procedure in place in the event of a breach.
Of the exploitable vulnerabilities surveyed, malware compromised the largest category of offenders — 43 percent — and botnets compromised 34 percent of the offending malware. Botnets and malware toolkits most frequently attack during the time period between the discovery of a vulnerability and the deployment (application) of its patch. The reason is simple: developing zero-day exploits is time consuming and expensive, but with publicly announced vulnerabilities, the majority of the malware author’s investigative work is done for him. The Solutionary study found that it was common for some organizations to take up to 200 days to apply patches after they were released. This is typically due to testing of the patch on the operating system, program, or hardware, but may be caused due to lack of support or understanding of the urgency of patching. This provides a significant window of opportunity for cyber criminals.
Many organizations need to establish, document, and prove they are compliant with a patch management process in order to comply with governmental regulations, service level agreements (SLAs), and corporate policies. Some of the regulations that require this documentation include: Sarbanes-Oxley (SOX), Payment Card Industry (PCI) Data Security Standards (DSS), Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health (HITECH).6
Organizations should be cognizant of the amount of time they take to patch systems. Figure 27 shows the window of exposure.
The zero-day attack space is largely unavoidable, but minimizing the “follow-on” period (particularly the gap between tp and ta above) is possible and is the critical gap that many enterprises are missing.
This post was written by: Amanda Joyce & Mike Thompson
1 Vulnerability Frequency
2 JBoss Attacks Up Since Exploit Code Disclosure
3 Microsoft Internet Explorer Use-After-Free Vulnerability Guidance
4 Rewriting the rules of patch management
5 Microsoft patch management policy
6 Rewriting the rules of patch management
7 Before We Knew It-An Empirical Study of Zero-Day Attacks in the Real World