Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/11/2013
11:17 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Better Patching Priority

What to consider when prioritizing risks

There are lots of different opinions about the best ways to tackle security risk. In a recent blog post titled "The Best Way to Spend Your Security Budget," Larry Seltzer says there is one burning issue that should be at the top of everyone's list: SQL injection.

If only it were that easy.

There is no "one size fits all" solution because every company and their needs are different. Seltzer's advice is that the simple answer for companies is to spend their security budget to prevent SQL injection. I disagree. There are also the unknowns that surround a company's security concerns. Looking only at Web applications, using a Top 10 list developed through limited industry consensus, and selecting just one issue is not the best approach.

The blog also mentions prioritizing risks; I would agree that many vendors spend every marketing dollar they have to focus people only on the shiniest solutions to the "latest threat." But the latest threats are rarely the ones companies should be most concerned about. The biggest risks facing companies are the ones they already know about and for which solutions already exist. Just because a threat is new doesn't mean it's always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn't mean it's the most important problem facing your organization.

Imagine a large property with no fence or borders, and people come and go from the property as they please, using the resources as they see fit. There is no security camera to track what individuals do on the property, or what type of assets are being manipulated or information exchanged. Ask any security professional and they'll tell you that this property is not only lacking security, it is vulnerable to all sorts of malicious activity and obviously needs a security update – perhaps that a fence is the top priority. But you can't say that a missing fence is the biggest priority without context. What if you learned that this property is also a public park? Your perspective and priorities change.

Multiple factors must be considered when looking at your enterprise exposure. A more comprehensive approach to security budgeting is to take into account both environmental variables and business interests. Patching is a great example of this.

Patch management requires you to consider vendor security suggestions, but your primary focus must be on your company itself so you can prioritize patches in an order most beneficial to your needs.

When a patch is deployed across thousands of systems, a common approach is to use the vendor's patch severity rating alone to dictate the rollout priority. This order of implementation, though seemingly effective at first glance, is not necessarily the most secure way to patch your enterprise assets. Vendor severity ratings are created under the assumption that the target systems exist in isolation and only consider the updates on the most mechanical level. They don't take into account how your organization uses individual machines. Because of this, all systems are treated equally even if they aren't. A computer set up to run welcome videos in the lobby doesn't handle the same type of information as one managing monthly financials. Patching that computer over your primary servers because of a vendor rating simply doesn't make sense. It is important to consider other factors and environmental characteristics to develop a more sophisticated, risk-based approach to patching.

When you prioritize with purpose, you reduce threats with greater efficiency. If you use just one more factor, such as which systems are considered absolutely critical, and combine it with patch severity level (provided by vendor), then you can achieve greater risk reduction by applying the most severe patches to the most critical assets. More risk reduction, faster results.

This also holds true for a software patch that may not initially be rated as severe. Depending on your company's infrastructure, certain vulnerabilities could actually have a high business impact if exploited. Clearly, this is something you want to patch right away. Without applying your knowledge of your unique environment, a critical system may sit unpatched for an unnecessarily longer period of time.

Using a multifaceted approach to patch management requires having information about the systems you're protecting -- both readily available and current. The same is true with any kind of risk prioritization. You can't secure what you don't know about, so having an updated, prioritized inventory is essential to protecting important company assets.

If you consider how many factors are needed to make an informed prioritization decision, following a set of written guidelines and to-do's doesn't account for environmental changes or unexpected problems. Your best bet for defending your organization is to apply the unique knowledge you have about how it is set up and the environment in which it runs.

If you only prepare for threats coming in one way, you're setting yourself up to be hit by an attack coming in from another.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13545
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
CVE-2019-13541
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
CVE-2019-17367
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
CVE-2019-17393
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
CVE-2019-17526
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...