Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:17 AM
Vincent Liu
Vincent Liu
Connect Directly

Better Patching Priority

What to consider when prioritizing risks

There are lots of different opinions about the best ways to tackle security risk. In a recent blog post titled "The Best Way to Spend Your Security Budget," Larry Seltzer says there is one burning issue that should be at the top of everyone's list: SQL injection.

If only it were that easy.

There is no "one size fits all" solution because every company and their needs are different. Seltzer's advice is that the simple answer for companies is to spend their security budget to prevent SQL injection. I disagree. There are also the unknowns that surround a company's security concerns. Looking only at Web applications, using a Top 10 list developed through limited industry consensus, and selecting just one issue is not the best approach.

The blog also mentions prioritizing risks; I would agree that many vendors spend every marketing dollar they have to focus people only on the shiniest solutions to the "latest threat." But the latest threats are rarely the ones companies should be most concerned about. The biggest risks facing companies are the ones they already know about and for which solutions already exist. Just because a threat is new doesn't mean it's always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn't mean it's the most important problem facing your organization.

Imagine a large property with no fence or borders, and people come and go from the property as they please, using the resources as they see fit. There is no security camera to track what individuals do on the property, or what type of assets are being manipulated or information exchanged. Ask any security professional and they'll tell you that this property is not only lacking security, it is vulnerable to all sorts of malicious activity and obviously needs a security update – perhaps that a fence is the top priority. But you can't say that a missing fence is the biggest priority without context. What if you learned that this property is also a public park? Your perspective and priorities change.

Multiple factors must be considered when looking at your enterprise exposure. A more comprehensive approach to security budgeting is to take into account both environmental variables and business interests. Patching is a great example of this.

Patch management requires you to consider vendor security suggestions, but your primary focus must be on your company itself so you can prioritize patches in an order most beneficial to your needs.

When a patch is deployed across thousands of systems, a common approach is to use the vendor's patch severity rating alone to dictate the rollout priority. This order of implementation, though seemingly effective at first glance, is not necessarily the most secure way to patch your enterprise assets. Vendor severity ratings are created under the assumption that the target systems exist in isolation and only consider the updates on the most mechanical level. They don't take into account how your organization uses individual machines. Because of this, all systems are treated equally even if they aren't. A computer set up to run welcome videos in the lobby doesn't handle the same type of information as one managing monthly financials. Patching that computer over your primary servers because of a vendor rating simply doesn't make sense. It is important to consider other factors and environmental characteristics to develop a more sophisticated, risk-based approach to patching.

When you prioritize with purpose, you reduce threats with greater efficiency. If you use just one more factor, such as which systems are considered absolutely critical, and combine it with patch severity level (provided by vendor), then you can achieve greater risk reduction by applying the most severe patches to the most critical assets. More risk reduction, faster results.

This also holds true for a software patch that may not initially be rated as severe. Depending on your company's infrastructure, certain vulnerabilities could actually have a high business impact if exploited. Clearly, this is something you want to patch right away. Without applying your knowledge of your unique environment, a critical system may sit unpatched for an unnecessarily longer period of time.

Using a multifaceted approach to patch management requires having information about the systems you're protecting -- both readily available and current. The same is true with any kind of risk prioritization. You can't secure what you don't know about, so having an updated, prioritized inventory is essential to protecting important company assets.

If you consider how many factors are needed to make an informed prioritization decision, following a set of written guidelines and to-do's doesn't account for environmental changes or unexpected problems. Your best bet for defending your organization is to apply the unique knowledge you have about how it is set up and the environment in which it runs.

If you only prepare for threats coming in one way, you're setting yourself up to be hit by an attack coming in from another.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.