Types of vulnerabilities affecting patch management

This excerpt from "The administrator shortcut guide to patch management" categorizes vulnerabilities into "administrative," "product" and "physical."

Administrator shortcut guide to patch management The following excerpt is from Chapter 1 of the free eBook "Administrator shortcut guide to patch management" written by Rod Trent and available at Realtimepublishers.com. Click for the complete book excerpt series.

Types of vulnerabilities

When you think about vulnerabilities and what you can do to minimize your organization's exposure, it is helpful to categorize the possibilities so that you can plan and implement security based on the assigned category:

  • Administrative

  • Product

  • Physical

If you are part of a large company, each category of vulnerability will generally be handled by different teams or individuals. The following sections describe these categories of vulnerabilities and provide factors to help identify the most appropriate category when assigning responsibilities for each.

Of these three vulnerability categories, the product category most directly affects patch management.

Administrative vulnerabilities

When an administrator fails to observe administrative best practices -- for example, by using a weak password or logging on to an account that has more user rights than are necessary to perform a specific task -- an administrative vulnerability is introduced. An administrative vulnerability might be the most telling shortcoming in respect to your company's security policies and practices. If an administrator doesn't use proper techniques for securing the environment from an administrative level, there is a good chance that the administrator isn't knowledgeable enough to provide security for the other vulnerability types.

An administrative best practice: Renaming important accounts
When attackers try to gain access to your company's network, the Administrator and Guest accounts are the first point of attack: They try to gain access by using methods to hack the passwords associated with these accounts. As a security measure against such attacks, an administrative best practice is to rename or disable the Administrator and Guest accounts for your Windows domain, and create a new Administrator-equivalent account that is used for administrative tasks. The following procedure outlines how to rename the Administrator and Guest accounts in your organization. Consider adding this change to the image that you use to deploy desktops in your company as well as employing this procedure on the Windows domain.

To rename the Administrator and Guest accounts, start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. In the console tree, right-click your domain or the organizational unit (OU) that contains the Group Policy that you want, then click Properties. Select the Group Policy tab, select the desired Group Policy Object (GPO), then click Edit.

Next, expand Computer Configuration, Windows Settings, Security Settings, and Local Policies, then click Security Options. In the right pane of the Group Policy snap-in, double-click Rename administrator account. Select the Define this policy setting check box, then type the name to which you want to rename the Administrator account and click OK.

Next, double click Rename guest account, then select the Define this policy setting check box, and provide the name to which you want to rename the guest account. Click OK, then quit the Group Policy snap-in. Finally, click OK, then quit the Active Directory Users and Computers snap-in.

Product vulnerabilities

Through a default software installation, an OS or application software is installed using all the default settings provided by the programmers. Performing a default software installation on computers with sensitive data is not a good practice, especially when the chosen software is likely to be used by many people, such as on a public access computer or Web server. The reason is that, especially with earlier OSs and software, the default settings do not usually result in a secure system.

Over the past year, vendors have stepped up progress to change the way OSs and applications are installed so that a system installed with the default settings for new installations will be secure by default. If you want to enable a feature or service, you will need to know of any risks associated with turning the feature or service on.

All too frequently, patches for known security problems are not applied during a default installation. Granted, as software vendors write increasingly complex code, it becomes more difficult for them to keep up with the production of the necessary patches. Thus, server and systems administrators must make the effort to keep their systems patched.

Patching provides vendor-developed solutions to found or known vulnerabilities in their products. The following list highlights common product vulnerabilities:

  • Buffer overrun -- Buffer overrun is a condition that results from adding more information to a buffer than it was designed to hold. An attacker might exploit this vulnerability to take over a system by inserting code of his or her choice into a program's execution file after an overrun of memory in the buffer takes place. A buffer is a region of memory reserved for use as an intermediate repository in which data is temporarily held before it is transferred between two locations or devices.
  • Elevation of privileges -- An elevation of privileges is the process by which a user misleads a system to grant unauthorized rights, usually for the purpose of compromising or destroying the system. This vulnerability can be the result of a buffer overrun or an integer overflow attack.
  • Denial of Service (DoS) attack -- A Dos attack is a computerized assault launched by an attacker to overload or halt a network service, such as a Web server or a file server. For example, an attack might cause the server to become so busy attempting to respond that it ignores legitimate requests for connections.

Physical vulnerabilities

It's easy to overlook physical security, especially if you work in a small or home-based business. However, physical security is an extremely important part of keeping your computers and data secure -- if an experienced attacker can just walk up to your machine, it can be compromised in a matter of minutes. Although such an occurrence might seem like a remote threat, physical vulnerabilities present additional risks -- such as theft, data loss and physical damage -- that make it important to check your physical security posture for holes.

When looking at providing better physical security, use the following examples to build upon:

  • If at all possible, sensitive systems should be kept behind a locked door.

  • A good physical security plan limits what can be done with the computers. Some examples of things you can do to stop unwanted actions is to:

    • Lock the CPU case

    • Use a cable-type security lock to keep someone from stealing the whole computer

    • Configure the BIOS not to boot from the floppy drive

    • Use the syskey utility to secure the local accounts database, local copies of Encrypting File System (EFS) encryption keys, and other valuables that you don't want attackers to have

    • Use the EFS to encrypt sensitive folders on your machine

  • Keep hubs and switches behind looked doors or in locked cabinets, run cabling through walls and ceilings to make it harder to tap and ensure that your external data connection points are kept locked.

Click for the next excerpt in this series: Eight strategies for securing vulnerabilities.

Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.

Read more on IT risk management