There’s more to security risk management than just patching

With an increasing number of critical systems being placed within virtual environments, security is now understandably a prime concern. Systems can be attacked, and valuable information and assets can be compromised. Vulnerability management systems are designed to address these issues. Vulnerability assessment is the process of identifying how vulnerable an infrastructure is to known vulnerabilities—the number one threat to all networks today. The threats/risks found in the vulnerability assessment are then ranked and prioritized to expose the current security position, and to facilitate the re-mediation process.

A lot of focus in security risk management is quite rightly placed on the development of effective patching systems. However, there is more to security vulnerability management than simply patching.

‘Zero Day’ vulnerabilities are known vulnerabilities, for which there are no patches. These are usually rare. Disclosure is sometimes timed to coincide with a vendor patch. However, sometimes vulnerabilities may have been known about for many months, but no associated vendor patch may have been made available. It is also quite common for there to be a delay between a patch being released, and that patch being applied.

For example, Krypsys performed a penetration test, where the client was running the Splunk system. A vulnerability had been identified just a few days before. We were able to exploit this vulnerability, and gain ‘root’ level command access to the system. From there it was a short step to gaining access to other devices in the network. This was a critical vulnerability that needed to be patched as a priority, or, if it couldn’t be patched, some other mitigation put in place, such as firewalling off the admin interface.

Patching policies: key weaknesses :-

There are two main weaknesses in patching policies. Relying on specific technologies for patching, where these technologies do not cover the whole gamut of software in use, and having a rigid system, where all patches are treated equally. In this latter case, the main threat is perceived as being the impact on availability that a faulty patch may cause. Patches are triaged through test to production, and applied in pre-defined operational windows, which inevitably introduces delays.

A sophisticated vulnerability management system needs to include an assessment of the risk and impact of specific vulnerabilities, then either patching, or other remediation applied in accordance with risk. Without this, your systems are open to compromise.

If your business needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].