Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:17 AM
Vincent Liu
Vincent Liu
Connect Directly

Better Patching Priority

What to consider when prioritizing risks

There are lots of different opinions about the best ways to tackle security risk. In a recent blog post titled "The Best Way to Spend Your Security Budget," Larry Seltzer says there is one burning issue that should be at the top of everyone's list: SQL injection.

If only it were that easy.

There is no "one size fits all" solution because every company and their needs are different. Seltzer's advice is that the simple answer for companies is to spend their security budget to prevent SQL injection. I disagree. There are also the unknowns that surround a company's security concerns. Looking only at Web applications, using a Top 10 list developed through limited industry consensus, and selecting just one issue is not the best approach.

The blog also mentions prioritizing risks; I would agree that many vendors spend every marketing dollar they have to focus people only on the shiniest solutions to the "latest threat." But the latest threats are rarely the ones companies should be most concerned about. The biggest risks facing companies are the ones they already know about and for which solutions already exist. Just because a threat is new doesn't mean it's always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn't mean it's the most important problem facing your organization.

Imagine a large property with no fence or borders, and people come and go from the property as they please, using the resources as they see fit. There is no security camera to track what individuals do on the property, or what type of assets are being manipulated or information exchanged. Ask any security professional and they'll tell you that this property is not only lacking security, it is vulnerable to all sorts of malicious activity and obviously needs a security update – perhaps that a fence is the top priority. But you can't say that a missing fence is the biggest priority without context. What if you learned that this property is also a public park? Your perspective and priorities change.

Multiple factors must be considered when looking at your enterprise exposure. A more comprehensive approach to security budgeting is to take into account both environmental variables and business interests. Patching is a great example of this.

Patch management requires you to consider vendor security suggestions, but your primary focus must be on your company itself so you can prioritize patches in an order most beneficial to your needs.

When a patch is deployed across thousands of systems, a common approach is to use the vendor's patch severity rating alone to dictate the rollout priority. This order of implementation, though seemingly effective at first glance, is not necessarily the most secure way to patch your enterprise assets. Vendor severity ratings are created under the assumption that the target systems exist in isolation and only consider the updates on the most mechanical level. They don't take into account how your organization uses individual machines. Because of this, all systems are treated equally even if they aren't. A computer set up to run welcome videos in the lobby doesn't handle the same type of information as one managing monthly financials. Patching that computer over your primary servers because of a vendor rating simply doesn't make sense. It is important to consider other factors and environmental characteristics to develop a more sophisticated, risk-based approach to patching.

When you prioritize with purpose, you reduce threats with greater efficiency. If you use just one more factor, such as which systems are considered absolutely critical, and combine it with patch severity level (provided by vendor), then you can achieve greater risk reduction by applying the most severe patches to the most critical assets. More risk reduction, faster results.

This also holds true for a software patch that may not initially be rated as severe. Depending on your company's infrastructure, certain vulnerabilities could actually have a high business impact if exploited. Clearly, this is something you want to patch right away. Without applying your knowledge of your unique environment, a critical system may sit unpatched for an unnecessarily longer period of time.

Using a multifaceted approach to patch management requires having information about the systems you're protecting -- both readily available and current. The same is true with any kind of risk prioritization. You can't secure what you don't know about, so having an updated, prioritized inventory is essential to protecting important company assets.

If you consider how many factors are needed to make an informed prioritization decision, following a set of written guidelines and to-do's doesn't account for environmental changes or unexpected problems. Your best bet for defending your organization is to apply the unique knowledge you have about how it is set up and the environment in which it runs.

If you only prepare for threats coming in one way, you're setting yourself up to be hit by an attack coming in from another.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.