Don't leave holes in your patching policies

With network device vulnerabilities being discovered all the time, should you be monitoring patch management yourself, or is...

With network device vulnerabilities being discovered all the time, should you be monitoring patch management yourself, or is outsourcing the best option?

If the IT industry was subject to the same restrictions as the car industry, the number of equipment recalls would be so huge that many companies would go out of business.

Bugs are an inevitable problem in a sector where companies are driven by shareholders to rush out equipment before it is ready. From a security perspective, this presents users with a huge problem. Empirical evidence suggests that the average device - whether it is a perimeter network resource such as a firewall or router, or a core device such as a server - has more holes in it than a piece of Gruyere.

One of the rarest but most devastating security vulnerabilities in host computers is the buffer overflow error, said Gary Jones, professional services manager of security consultancy MIS Corporate Defence Solutions.

Simply bombarding user-facing memory space with data can cause data to overrun pre-allocated memory, forcing the input into an executable part of the memory. Hackers can use this to run code of their own and possibly gain control of the system.

This problem was common on Microsoft's Internet Information Server until it was patched. Since this patch was introduced, Microsoft has released what it claims is a more secure code base, in which a "golden bit" signifies the top of the stack, preventing buffer overruns.

Another common trick is the brute force password attack, which Jones said can be a problem on devices such as firewalls. This enables hackers to keep trying passwords using dictionary attacks without being locked out after a certain number of failures.

There are also other, more spectacular vulnerabilities. David Morgan, senior consultant for X-Force Security Assessment Services at security consultancy Internet Security Systems, said there is a security flaw in some network devices that lets you add text to the web administration URL, taking you straight into super-user mode.

He described one routine security scan he did for a client where he was unable to find many loopholes. Back at the office, he found a report of this vulnerability. "We went back the next day and got control of all the switches and routers," he said.

Roy Hills, technical director of security testing company NTA Monitor, said this will stop attacks from "script kiddies" - amateur hackers running pre-scripted exploits in the hope of breaking into a system. The problem is that too many companies are not implementing patches in a structured way.

"If you are running a corporate database, you cannot just slap on a patch when it is released," he said. "You need some form of development environment and the patch must be tested first."

Companies must also react to critical patches. If another aggressive internet worm appears, companies must be aware of it before they read about it in the press and they must be able to implement a patch quickly.

One solution is to have an employee checking newsgroups, supplier sites and bulletins to pick up on patches before the hackers do. Unfortunately, many companies are not in a position to pay this extra salary.

Another option is to use a supplier service. Both Microsoft and Red Hat offer update services that they claim can automate much of the patching overhead for customers. The problem is that the services are far from perfect. Microsoft has not yet unified the update servers for many of its products, and there have been reports of patches causing software problems.

"I do not look favourably on Microsoft, and I am tempering that statement," said Jim DiDominicus, chief information security officer at the New York Board of Trade.

"I am glad it has started to embrace security, but I do not trust Microsoft to manage patches for me. I do not even trust Red Hat, which is the Linux distribution I use the most."

DiDominicus is so nervous about quality assurance he tends to pre-test patches at home on his personal equipment before re-testing them in the enterprise.

The other problem with such services is that they are supplier-specific. An alternative option for time-pressured IT departments is to hire a specialist company to keep you abreast of cross-supplier vulnerabilities.

ISS recently launched a threat analysis service that keeps customers up-to-date with news of vulnerabilities. DiDominicus uses security firm Qualys, which provides on-demand security auditing services online through its own database of device vulnerabilities.

Morgan said the other option is to use virtual patching, where an intrusion prevention system dynamically configures itself to block new attacks. ISS offers such a service as part of its intrusion detection system, using a combination of threat pattern recognition and online updates from the consultancy's servers.

The idea is that these devices offer protection of sorts until the proper patch is released from the the supplier. Stuart Okin, chief security officer for Microsoft UK, is unhappy about such solutions and argued that patches from suppliers should be applied as soon as possible rather than being delayed by reliance on third parties.

Morgan disagreed. "When a company does not have the resources, the application of patches is extremely time consuming," he said. "In many cases, a virtual patch can be implemented more quickly - perhaps a couple of weeks before the real patch."

But putting in place a proper patching methodology will not necessarily solve your problems. Some hackers rely on "zero-day" vulnerabilities that will not be released to suppliers.

Identifying these vulnerabilities and protecting yourself against them is much more difficult. Hills' advice is to minimise your visibility by removing services you do not need to offer. "If you are running IIS with FTP, e-mail, news and web services, disable what you do not need," he said.

Another good tip is to baseline your architecture and establish normal thresholds in areas such as the number of sessions and jobs that are running and the amount of bandwidth being used. Any anomalies can then be identified more easily. Using intrusion detection systems can also help to avoid these attacks.

Common sense plays a big part in locking down your network vulnerabilities, but resources are also an important factor. If you do not feel you have the finances or the staff to manage the load, an outsourced solution may be a viable option.


  • Vulnerablities include buffer overflow attacks, which can allow hackers to gain control of devices; brute force passwords attacks; or adding text to URLs to take a hacker into administrator mode
  • Businesses need to have a structured approach to patching, including being able to test the patches in a development environment. Alternatively, this function can be outsourced.
  • Virtual patching, where an intrusion dection system dynamically configures against threats, is the way on insuring against unknown vulnerabilities.

Read more on Hackers and cybercrime prevention