CSOs say patch management tide is turning

By Bill Brenner, News Writer 09 Dec 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

NEW YORK -- When he unveiled his organization's Top 20 vulnerability list for 2005 in November, SANS Institute Research Director Allan Paller noted the growing attacks against application flaws, and made the controversial statement that security had been set back nearly six years in the last 18 months.

Despite the rising mountain of security holes in AV software, media players and IM programs, security professionals at this week's Infosecurity Conference & Exhibition say the state of IT vulnerability management is far from bleak.

During a panel discussion on vulnerability management Thursday, speakers noted that while the bad guys are finding new vulnerabilities to exploit, the good guys are getting better at quickly patching their most critical systems. They're also getting better at scanning for trouble when vulnerabilities are announced.

The best evidence, perhaps, was this summer's Zotob attack against the Plug and Play vulnerability in Windows. The attack hit many organizations and gained wide media attention. But when panelists and attendees were asked to raise their hands if Zotob had a major impact on their networks, no one did.

"Intelligence and early warning is key for something like that," said Larry Brock, CISO for Wilmington, Del.-based DuPont. "Once a vulnerability is announced, we really track it to see if any exploits are out."

Zotob exploited a flaw that Microsoft announced on "Patch Tuesday" Aug. 9. By that Thursday, Brock's department had done enough intelligence gathering to know there was a significant threat. "We declared an emergency that Thursday and patched through the weekend," Brock said.

For more information Get expert advice on building a patch timeline. See our news, tips and expert advice on patch management.

The panelists agreed early warning systems and a process to prioritize which patches to deploy first have made a big difference. So has user education.

"We scan during, after and prior [to a vulnerability announcement]," said George Llano, senior director of information security for New York-based Viacom Inc. "Patches are tested instantly. But we also have implemented a lot of user education on what's out there and what's coming. User education is a form of patching."

Despite the successes, security professionals acknowledged that many hurdles remain. For one thing, there's that increased focus of the digital underground on application vulnerabilities like those outlined in the SANS Top 20.

Gerhard Eschelbeck, CTO of Redwood Shores, Calif.-based Qualys Inc., also noticed a growing trend toward application-based attacks in his latest "Laws of Vulnerabilities" research, which he unveiled at last month's CSI 32nd annual Computer Security Conference.

Recapping his findings, Eschelbeck said this year's data on vulnerability "half-life" -- the length of time it takes users to patch half of their systems -- shows organizations are patching critical vulnerabilities in outward-facing systems within in average of 19 days, two days faster than last year and 11 days faster than in 2003. He said progress is being made on inward-facing systems as well, with the half-life of critical vulnerabilities there dropping to an average of 48 days, two weeks sooner than in 2004.

At the same time, he said, more than 60% of the most recent quarter's vulnerabilities were client-side, meaning they affected specific applications such as Internet Explorer and Adobe Acrobat or software plug-ins like Macromedia Flash. "There's a significant shift from server-side vulnerabilities to the client side," he said, adding that the digital underground is shifting in that direction because "there is still a lot of low-hanging fruit out there."

In the next year or so, he expects even more client-side vulnerabilities to surface. He also predicted that 4% of each year's vulnerabilities will have an infinite lifespan.

Brock pointed out another problem IT shops must watch out for: vulnerabilities that refuse to die even after patches have been deployed. "We certainly patch aggressively, but for some unexplained reason some vulnerabilities come up again," he said.

One theory is that the flaws reappear when a new machine is brought online. He said vulnerabilities have not resurfaced on machines that were patched.

The bottom line, Brock said, is to never assume a vulnerability is gone forever once its patch has been deployed. Since new machines are often brought into the network, he said IT professionals must remain vigilant.

Llano also cautioned that the vulnerability landscape isn't the same for every company, especially one like Viacom, which includes such entertainment networks as MTV and Nickelodeon.

"There are different extremes for us," he said. "Something we see on the MTV side isn't necessarily something we see on the Nickelodeon side. It's a more spontaneous vulnerability landscape."

The panelists said that in the end, the best IT shops can do is keep a careful eye out for new vulnerabilities, scan for exploits constantly and make sure the patches deployed first are those that will protect the most critical systems.

Eschelbeck noted that 90% of vulnerability exposure is caused by a mere 10% of critical vulnerabilities. Therefore, he said, "Eliminate 10% of the critical flaws and you wipe out 90% of your vulnerability exposure."

Tags: Security Patch Management,  Vulnerability Risk Assessment,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary