Improving enterprise security, one patch at a time
Patching is a fact of life for IT administrators. And, although it is essential to maintain security, keeping up with vendors’ patch release cycles is a challenge.
According to research by Ivanti, an IT asset and services management vendor, 71% of IT professionals find patching to be complex and time consuming. Worse still, from a security point of view, 62% said patching often has to give way to other priorities.
Yet despite the hassle caused by patching, some vendors are now starting to alert sysadmins to pending security releases, via pre-advisories.
The idea is to give security and IT administrators forewarning that a system or application will need to be patched or updated.
But the move has both proponents and detractors, with some industry players concerned that pre-advisories will help malicious hackers more than they help security teams.
Security pre-advisories: Advanced warning for sysadmins
A standard security advisory is simply a notice to users of a system or software of a vulnerability. It describes the issue, lists any CVE IDs, and details the affected systems or projects.
For years, this standard format has served the industry well, allowing security teams to identify relevant vulnerabilities, prioritize fixes and, once available, applying patches.
But a growing number of vendors and open source project maintainers are moving towards pre-advisories, with the goal of giving IT teams, and other professionals, including pen testers, more notice of security vulnerabilities and when a patch might be available.
In some respects, Microsoft pioneered pre-advisories, with its regular Patch Tuesday releases – a pattern other large vendors have followed.
When used correctly, however, pre-advisories could move users away from the idea of patching on a specific day and potentially boosting security by reducing the time it takes for an organization to implement important patches.
“Pre-advisories could help get us away from this notion of ‘timetabled’ patching that sees sysadmins make time in the diary on a specific day to patch,” Stuart Walker, senior consultant at Prism Infosec, a cybersecurity consultancy, told The Daily Swig.
“Yes, that allocates time but it also downplays the importance of patching, which is why it gets sidelined and forgotten.”
Walker added: “I’d like to think this approach [pre-advisories] will escalate patching up the security agenda so it becomes a much more immediate concern, so that patches are applied when and as needed.”
Save it for another day
Pushing patching up the agenda is certainly worthwhile as data breaches are all too often traced back to unpatched, and often older, systems. And it could put pressure on vendors to release CVEs, and patches, more quickly to reduce the number of zero-day, or near-zero-day (so-called ‘n-day’), vulnerabilities.
“In an ideal world, all security patches would be automatically deployed with no system downtime or impact. Unfortunately, that isn’t the case,” Todd Gifford, chief technology officer at Optimising IT, told The Daily Swig.
“So, their deployment needs to be managed like any other system change to minimise operational impact and balance security requirements.”
Gifford added: “In terms of out and out effective security improvement [pre advisories] won’t actually increase absolute security in terms of adding additional controls. But mitigating information security risk is why patching is fundamental to securing systems and data.
“Being able to plug security hole with a patch sooner rather is a good thing, as it minimises the amount of time a known vulnerability is available for an attacker to exploit.”
Security advisories play an important role in the information security industry
According to Daniel Spicer, chief security officer at Ivanti, part of the problem is the speed at which threat actors can exploit unpatched vulnerabilities. This can be within hours of their release.
“Organizations need time and tools to prioritize vulnerabilities to remediate and reduce exposure to cyber-attacks – particularly when time is of the essence,” he says, noting that pre-advisories can help by alerting users to the fact that a patch is coming (and how much downtime might be needed to deploy it).
At the same time, though, pre-advisories released by independent security researchers are putting pressure on vendors. And there are also those who believe that pre-advisories actually play into the hands of criminal hackers.
“Researchers are putting increased pressure on vendors to close vulnerabilities they find on their platforms,” Brendan Kotze, CDO and co-founder of Performanta, told The Daily Swig.
“Meanwhile, vendors have an almost unmanageable backlog of pre-advisories. This dilemma is causing increased friction between researchers and vendors, which seems to be playing into the hands of attackers, in some cases causing a media storm as researchers announce pre-advisories publicly, exposing unpatched vendors.”
In the wrong hands
The risk of pre-advisories giving more ammunition to bad actors appears obvious: obtain a vulnerability before there is a patch, and it can be exploited. If vendors give advanced warning through pre-advisories, it could be argued that risk is higher still.
Fortunately, most security researchers feel that the risk is small, or at least small enough to be outweighed by the benefits.
“While it’s true that public pre-advisories could allow attackers to exploit vulnerabilities, when a patch is released, an attacker can revert it to take advantage of any system that wasn’t suitably covered,” notes Kotze.
But although this is not impossible, the resources needed are significant, according to Prism Infosec’s Walker.
“If advanced notice of security advisories and patches fell into the wrong hands it would only be of use to extremely well-resourced attackers such as those financed via a nation state,” he says.
“They’d need access to dedicated exploit development teams that were able to turn something around within very tight timeframes and to have already identified their high value targets that were using that particular software.
“I’d argue that if you have that level of skill and know the window is closing, you’d be unlikely to devote your time and energy to exploiting something that you know was going to be patched really soon.”
As important, though, is the need to plan for software updates and maintenance, to head off security vulnerabilities as well as costs associated with aging systems.
“The biggest issue is getting the budget, resource and the political will to upgrade systems to current operating systems, let alone patching them routinely,” Sebastian Hope, a cybersecurity expert at PA Consulting told The Daily Swig.
“Greater advance notice of the need for patching is not the real issue. What is needed is a commitment from the organization to resourcing the upgrades.”