IT Reporting Isn’t Always Accurate

If you have yearly governance audits, you know how stressful it can be when your patch management tool provides inaccurate reports or evidence that auditors can use to fail your accreditation. Let’s explore several industry standards to compare the results of the toolset against the devices themselves, to see if there are conflicts or discrepancies—something you should know before your audit.

We will base our accreditation on an industry standard of PCI/DSS compliance. Any company which processes credit card information should conform to a level of PCI/DSS. The different levels of PCI/DSS are dependent on the size of the business or transactions processed by that business yearly.

Another critical thing to note—if a data breach occurs, the amount of compensation paid in the form of fines vary dramatically on that level. This is why companies that process billions of transactions a year must attain the highest level of PCI/DSS to safeguard their business.

Evaluating WSUS and Nessus Reporting

The two well-known patch management tools we will use in this review are Microsoft ‘WSUS’ and Nessus. Nessus uses the Tenable detection engine and is know as one of the industry “go to” tools for audit software.

We have a device installed with Windows 10 Enterprise (1903) and Windows Server 2012 R2, and several updates are needed on both systems. To create a baseline for comparison, we have used Syxsense to deploy all updates missing to the device, and have rebooted multiple times to ensure all updates have taken.

Windows 10 Enterprise | Feature Update 1903

1. Syxsense records no updates are needed.

2. Next we performed a full scan of the device using Nessus which uses the Tenable detection engine.

3. We did the same for WSUS and performed a full scan.

Windows Server 2012 R2

1. Syxsense records no updates are needed.

2. Next we performed a full scan of the device using Nessus which uses the Tenable detection engine.

3. We did the same for WSUS and performed a full scan.

4. We downloaded the binary from the Microsoft site and tried to install it manually.  You can see from the screen shot that the update reported by WSUS was not actually needed.

Examining the Results

We are most surprised that the patch management toolset, known globally as one of the best and most accurate detection toolsets, provided the most false positives against WSUS and Syxsense. If our customers were using this toolset alone, we can only imagine what issues they would have using these reports as evidence of compliance against PCI/DSS.

What should concern anyone using WSUS for their compliance needs is that WSUS reported an update was needed, but could not even be installed manually.

Many tools do not detect or correctly report patch supersedence (which is when a new patch makes the need for an old patch obsolete) and are showing that superceded patches are required and devices are non-compliant or vulnerable even though they are in-fact fully patched and complaint.

Can you imagine failing a PCI/DSS because of vulnerabilities which you were not even vulnerable for?

Leverage Syxsense Vulnerability Reporting

Over the few tests conducted, Syxsense proved to be the most consistently reliable at detecting the updates needed. If you are not using Syxsense for your vulnerability reporting, we recommend using multiple patch management toolsets to compare multiple sources. However, the penalty for failure for any breach could cost millions of dollars.

Additionally, Syxsense allows you to manage and secure vulnerabilities exposed by open ports, disabled firewalls, ineffective user account policies, and security compliance violations from remote workers. Gain visibility into OS and third-party vulnerabilities while increasing cyber resilience through automated patch management and vulnerability scanning.