We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.
Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.
Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!
Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.
If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?
When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.
If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.
At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.
To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.
My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.
Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.
Robert Brown is Director of Services at Verismic
Originally published on IT Security Guru