Vulnerabilities and Patches

I am often involved in various discussions and hear frequent concerns about vulnerabilities on an organization’s computers.  This is a regular discussion topic at some of the meetings I attend, and I am frequently asked about the differences between patches and vulnerabilities.

What are they? Why are there so many?  If we are always deploying patches, why does this number seem to not be improving? If my computer is only missing one patch, why does it still have 76 vulnerabilities?!

In order to answer these questions, it is important to first understand the difference between a patch and a vulnerability. The short story is that a patch typically addresses one or more vulnerabilities. The vulnerability is the “hole,” and the patch is the “fix.” 

But a vulnerability is not necessarily remediated by applying a patch.  A patch is one or more vulnerability remediation items all rolled up into a single package that can be deployed by your centralized patch management system or manually installed.  A vulnerability is a description of a single “weakness” that presents a specific flaw in operating systems, software products, or configuration items.  While deploying a single patch fixes many vulnerabilities on a single computer, a vulnerability is usually remediated by applying a single patch or adjusting a configuration setting to a computer. 

More Specific Definitions: 

• Patch: This is typically a software update for the operating system or for a software product installed on a computer.  In a given month, we will typically see various patches for the Windows Operating System, the Internet Explorer Web Browser, and products such as Microsoft Office, FireFox, Chrome, or Adobe Acrobat.  A patch is an update that remediates one vulnerability or several. Patches are rated by their severity in terms of how much risk they present to the computing environment, and how quickly they should be applied.  Patches are normally rated as Critical, Important, Moderate, or Recommended.  Security patches usually fall into the Critical, Moderate, or Important ratings, while patches that fix a non-security “bug” or add additional functionality are usually “Recommended,” but are only applied if a particular problem exists.

• Vulnerability: A vulnerability is a much more granular way to describe a single weakness in operating systems, software, or configurations.  Where a patch is an update that addresses several vulnerabilities, a vulnerability, in contrast, is a single security weakness.  Vulnerabilities are identified by what is known as a “CVE,” which stands for Common Vulnerabilities and Exploits.  These are numbers assigned to vulnerability items, or potential vulnerability items, in software components, such as operating systems or productivity products.  A vulnerability may be mitigated by applying a patch.  A vulnerability might also be mitigated by adjusting a configuration setting, such as turning off Bluetooth or applying a setting to the Windows Firewall on a computer.  Vulnerabilities are rated by the severity of the weakness that they address, and are rated using a scoring system, known as the CVSS (Common Vulnerability Scoring System).  A CVSS score of less than 4 means that the vulnerability severity is Low.  A CVSS score of 4 – 6.9 means that the vulnerability severity is rated as Medium.  And a CVSS score of 7 – 10 means that the vulnerability severity is rated as High.

Vulnerabilities versus Patches Example:  

Let’s look at a recent patch released by Adobe – the Adobe Acrobat 11.0.16 update. When the Adobe Acrobat 11.0.16 update was released, it provided remediation for 76 different vulnerability CVE items that were rated as HIGH in the CVSS scoring system.  After deploying this patch to the 9,000 computers that needed the update, and then performing an analysis of the residual vulnerabilities a few days after the deployments started, we found that 7,500 computers received the patch, but 1,500 computers were still unpatched for this specific patch.  In patching terms, we are showing 83% patched for Adobe Acrobat 11.0.16, which is pretty good progress after only a few days.  In a vulnerability report on this same day, however, we would show as having over 120,000 High CVSS vulnerabilities.  This ONE MISSING PATCH on those 1,500 computers (17% of the total number of computers needing the patch) accounts for 114,000 vulnerability line items of the approximately 120,000 on the report.  That single patch accounted for approximately 95% of the total of the CVSS high vulnerability items on the report that day.  So even though the patch deployment effectiveness was progressing well to that point, the number of total HIGH vulnerabilities remaining on our computers was still very large.

 What You Can Do: 

There are a variety of things to keep in mind in the vulnerability and patching arena.  First of all, patch management is a moving target at best.  Try not to get too wrapped around the axle on raw numbers.  But here are some things you can do to help those numbers and to help make your analysis more meaningful:

• If you are using a centralized patch management system, such as Lumension, Tivoli, or SCCM/WSUS, ensure that your centralized patch management agents are installed and running properly.

• Some organizations have a large number of people who telework or work in the field and therefore connect infrequently - Ensure that your end users connect their computers to your network or VPN regularly to get patches and report their patch status. Not only is it important to connect regularly in order to receive scheduled patches, but it is important that they stay connected long enough to receive patches that are rather large in some cases. This is also necessary in order for the agents to regularly and accurately feed information up to the patch management system servers. This, in turn, helps to make sure that the data pulled for reports is the most current and the most accurate.
  
  
• Ensure that only needed products are installed on your computers. As was seen in the example above, Adobe Acrobat accounted for the majority of the vulnerabilities on our computers. But when I perform software usage analysis, I often see that many instances of Adobe Acrobat are not even used by the users on whose computers this is installed. If the product is not needed, then don’t install it.

Patching and vulnerability management are vital processes in any organization’s overall cyber-security program. Ensuring that all security software is installed and running is vital to this process. Make sure that computers are receiving their patch updates, and unnecessary software and services are not running on computers.  Performing regular patching is important, but so is doing meaningful follow-up analysis.  Find out where your holes are, find out what the "plugs" are for those holes, prioritize the weaknesses, and get 'am fixed!

Staying Current With Cybersecurity Issues & Technologies

"How do YOU stay current in this field..." is one of the questions I have been asked in job interviews, and that I have asked others when interviewing for positions in my organization.  And as I used to tell my students when I was teaching at a tech school: "Your knowledge and skills will be obsolete three months after you leave here unless you stay current and engage in life-long learning."

Cybersecurity is a very rapidly evolving and ever-changing field. Whether you are a currently employed and practicing cybersecurity professional, just starting out on your road to cybersecurity education, or looking for a career change, one of the things you will find absolutely vital is staying current and informed in the latest information on current threats, new cybersecurity technologies.  Continuously absorbing new information and making life-long learning a purposeful journey will help you to explore the world of cybersecurity and learn many new things.

The amount of information out there is overwhelming, to be sure.  But life-long learning is a steady journey that can be taken a step at a time. Take it slow and remember that you won't be able to digest everything at once.  Pick a niche or two within cybersecurity, and concentrate efforts in the areas that interest you.  Don't try to become an "expert" in everything all at once.

Some things you can do:

• Listen to daily podcasts and read daily professional journal articles.
    
• Subscribe to listservs and alerts such as PatchManagement.org, SANS, or US-CERT.
  
  
• Join a local chapter of a group such as ISSA, ISACA, ISC2, or CompTIA.
  
  
• Form a local group through social media sites such as Facebook or Meetup.
  
  
• Take low-cost or free training from FedVTE, Udemy, the ICS-CERT Virtual Learning Portal, and your organization’s computer based training system.
  
  
• Some of the local groups as mentioned above often have many training opportunities.
  
  
• Volunteer to give training at one of the local groups above.  This will force you to more thoroughly research and present on a topic.
  
  
• Earn certifications that force you to constantly stay current by getting Continuing Education Units (CEUs) in order to maintain the certification.
  
  
• If you’re an advanced practitioner in the field (yes, we need to stay current as well), seek opportunities to do some adjunct teaching at the junior college or university level.
  
  
• Mentor someone or ask someone to mentor you.

The cybersecurity field is a huge and rapidly growing field, and there are way too many available resources for me to mention here.  But some of these links and resources will hopefully give you some ideas and pique your interest to search and pursue (or as I used to do with my students – send them on “Seek and Destroy” missions to find information).  Again, and as I often told my students: your knowledge and skills will be obsolete in a very short time unless you stay engaged and pursue life-long learning.  Excellence in this field is not a destination but an on-going journey.

Resources:

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT):
https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
https://ics-cert-training.inl.gov/learn

Five Essential Cybersecurity Podcasts for IT Professionals:
https://www.techrepublic.com/article/five-essential-cybersecurity-podcasts-for-it-professionals/

Information Systems Security Association:
https://www.issa.org/

PatchManagement.org ListServ:
http://www.patchmanagement.org/

SANS Internet Storm Center:
https://isc.sans.edu/

United States Computer Emergency Readiness Team (US-CERT):
https://www.us-cert.gov/

National Initiative for Cybersecurity Careers and Studies (NICCS):
https://niccs.us-cert.gov/

IBM Security Intelligence:  How to Stay Up-to-Date on Security Trends:
https://securityintelligence.com/how-to-stay-up-to-date-on-security-trends/

FEMA Emergency Management Institute:
https://training.fema.gov/is/

Security Patch Management Programs

Having an established and well-organized patch management program is absolutely vital in helping an organization maintain good system hygiene and a strong cybersecurity posture.  Well-developed procedures, robust deployment and monitoring tools, and good analysis methodologies, and precise documentation will go a long way towards enabling an organization to achieve and maintain a healthy information security posture.

Centrally managed patching systems, such as Lumension Security, IBM BigFix, and Microsoft System Center, are a big part of this process, but those systems are but one of the types of tools that will facilitate effective patch management.  Unfortunately, this tool is not a “set it and forget it” type of deal.  The organization also needs to have a good change management program and a good program for performing meaningful risk assessments.  Processes and tools for regular status reporting, patch status analysis, and a vulnerability scanning program to evaluate and confirm that security patches and updates have been applied will be key to providing verification and validation for the patch management program as well.

  

A patching and vulnerability management program will serve as a vehicle for tool and process organization and will help to maintain consistency and standards-based compliance methodologies. In my organization (we are a large enterprise), we have what is known as a Patching and Vulnerability Working Group (PVWG) that meets regularly to discuss patching and vulnerability issues, updates about new patches being released, prioritizing patches and deployment timing, and discuss lessons learned from previous patch deployment cycles.  We also conduct training in report analysis and tool usage.  This PVWG is made up of IT specialists who represent the different business groups in the organization as well as members of the patching team, change advisory board, vulnerability scanning team, the information assurance team, and other customer support people.  We meet at least monthly, and more frequently if there are any emergent patching issues that need to be discussed.

As far as the patching process itself, having a defined schedule of events will help to ensure that all aspects of the patching program are always followed the same way.  In my organization, we always follow some general timelines for our typical enterprise patching process from the time that patches are released to actual deployment, and including some activities that are continuous throughout the patching cycle. 

The outline below lists the time-lines for patch receipt and deployment for normal monthly patches received from the vendors.  Out-of-Band, or emergency patches, typically undergo an expedited testing and deployment process.

• Ongoing: Continually monitor US-CERT, the patchmanagement.org listserv, and other vendor notices for information about new patches.
  
  
• Ongoing: Perform vulnerability scans on a regular basis.  
  
  
• New Microsoft and other vendors’ patches are usually released to the general public on the second Tuesday (2T) of each month.
  
  
• 2T + 1 day: New patches are typically received by the subscription services on the organization’s centralized patching system servers.  (Note: In a large environment, it normally takes a few days for all computers to check in and be evaluated for patch applicability). 
  
  
• 2T + 3 days: Testing on non-production desktop computers and test servers begins.
  
  
• 2T + 6 days:  Pilot group production patch testing begins on selected pilot computers within the organization.
  
  
• 2T + 9 days: Risk assessments are performed, testing issues are discussed and resolved, and patch deployment prioritization and timing recommendations are made to the Patch Management Team.
  
  
• 2T + 9 days:  Patch Management Team submits Request for Change (RFC) using the organization’s established change management procedures.  (Note:  In my organization, this is considered a “standard” change that has already been preapproved by our change advisory board).
  
  
• 2T + 10 days:  Patch Management Team sends broadcast messages to customers to announce patch deployments and any system outages that will take place.
  
  
• 2T + 13 days: Begin deploying patches to the production environment.
  
  
• 2T + 16 days: Deploy “Therapeutic Reboot” to all computers.  This helps clear what is known as a “dirty state” that computers are in when they receive patches but are not yet rebooted.  This also helps to put computers into a fresh state to help with better performance.
  
  
• 2T + 28 +/- days: Analyze patch status and vulnerability scan reports to determine patching effectiveness and identify gaps.
  
  
• 2T + 30 days: Patch Management Team adds patches from previous month to a mandatory baseline in the centralized patching system to ensure that computers that infrequently check-in can receive the required patches and updates.

Smaller businesses are not necessarily going to have the resources or the need to have large change management programs, separate patching and vulnerability teams, or even an established working group.  But the need to be aware of new security patches, testing the patches to ensure that business processes are not broken by patch deployments, troubleshooting and resolving issues, and then regularly applying the patches are still crucial for any sized business to maintain a secure computing environment.  The smaller IT staffs will need to wear many hats in addition to their normal support functions, and patching/vulnerability management will need to be a high priority on their list.

A word about documentation: If you don’t document it, it didn’t happen.  Also, if you don’t document it, it is more difficult to figure out what changes took place in the event that troubleshooting business disruption issues need to be performed.  If you don’t document lessons learned, it is much more difficult to make meaningful improvements to the information security program.  In my PVWG group that I mentioned above, for example, we always keep meeting minutes that contain lists of patches deployed, current patch statuses, and any break/fix issues that our members discuss. We also record lessons learned and new ideas for improvements.  Patching status trend analysis is performed to help illustrate patching program performance.  Not only do our patch status reports show statuses for individual patches, but also information about which patches are causing the largest gaps in our patching program.  Documentation is also a key component in helping the organization conduct cybersecurity self-assessments, and/or will help with the evidence gathering activities with third-party audits.

Having an established patching program with consistent timelines and processes will help the organization to meet critical patching timelines.  This will be crucial in ensuring that business processes are disrupted as little as possible while maximizing the organization’s security posture.  An established working group that meets regularly to discuss security patching issues will help everyone stay informed about patch releases, risk analysis, testing results, and patch deployment effectiveness.  And finally, documentation will ensure that the organization has accurate records of patching program activities which will help illustrate and overall patching program, and will also assist in any security self-assessments or audits later on. 

Additional Resources:
NIST SP 800-40 Rev 3 “Guide to Enterprise Patch Management Technologies”
https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final

Patch Management Listserv:
http://www.patchmanagement.org/

United States Computer Emergency Readiness Team (US-CERT):
https://www.us-cert.gov/

ITL Bulletin: “Creating a Program to Manage Security Patches and Vulnerabilities: NIST Recommendations for Improving System Security”
https://csrc.nist.gov/publications/detail/itl-bulletin/2006/02/creating-a-program-to-manage-security-patches-and-vulnerabilitie/final

Free Cybersecurity Training for Veterans

There is a tremendous shortage of skilled cyber-security professionals to fill the many cybersecurity and information assurance vacancies.  In fact, it was reported the other day that the cybersecurity workforce shortage has hit 3 million.  This puts businesses, large and small, at a huge risk for cyber breaches, regulation non-compliance, and privacy data exposures, all of which can lead to legal problems, fines, and even criminal charges.

https://www.foxbusiness.com/features/cybersecurity-worker-shortage-hits-3-million

Veterans, current federal, state, and tribal employees have a wonderful free resource to get started with training.  Visit the Federal Virtual Training Environment Portal to find out more:

https://fedvte.usalearning.gov/

I am also the new Membership Director for the Northern Colorado Chapter of the Information Systems Security Association (ISSA), and I would be glad to give you more information about this exciting field!

Welcome to NoCo Cyber Security!

Welcome and thank you for visiting the NoCo Cyber Security Tech Blog!  This is the place for all things cyber-security, from keeping your family safe online to secure your home network, to doing risk assessments for small business, to deciphering the complicated NIST Risk Management Framework.  This blog and the articles here will help you make sense of how Improving Critical Infrastructure Cyber Security applies to virtually all areas of our connected environment, and how to "bake in" your security program instead of sprinkling it on later.

I am also passionate (and concerned) about the fact that the cyber-security arena is a rapidly growing career field, but that there are not enough people with these skills to fill all the vacancies This leaves many businesses with large gaps in the ability to secure their computing environment and mitigate critical risks.

The main focus of this blog, then, is to promote cyber-security awareness as well as promote educational, coaching, and mentoring opportunities for those wishing to enter the cyber-security arena.

If you are located in the Northern Colorado Front Range area, I will be happy to give you a presentation on the importance of cyber-security, and how you can quickly and easily assess your environment and get on the road to securing your information.  Some of the topics that I would be happy to present include:

• Practicing Safe Computing at Home
• Internet Security at Work
• Improving Critical Infrastructure Cyber Security
• Vulnerability and Patch Management
• Cyber-Security Incident Response
• Cyber-Security for Startups and Small Businesses
• Securing Small Businesses

I welcome your input and look forward to some discussions about the world of cyber security!

Please visit my LinkedIn page to learn more about my background and experiences in cybersecurity

https://www.linkedin.com/in/williamflinn/