|
Patching: The Drive to Comply
By Chris Novak
According to the 10th Annual ICSA Labs Virus Prevalence Survey issued in April 2005, virus encounters increased by nearly 50 percent from 2003, with a rate of 392 encounters per 1,000 machines per month. The amount of actual infections also increased, represented by a rate of 116 infections per month. The costs of these, and other malicious exploits, are reaching billions of dollars annually. With so much at stake, security requires a commitment of resources -- financial, human, and technological -- to an enterprise-wide security program. But with countermeasures already in place, what can businesses do to better safeguard networks impacted by these events? The answer is patch management.
Just four to five years ago, security wasn’t seen as something that could drive business and revenue; while it was a “nice to have” and may have saved organizations from incurring some liabilities, security didn’t make them profitable. As a result, patch management was primarily viewed by organizations as a tool for IT to reactively fix operational or functional problems that would arise - a "Band-Aid" approach to bug fixes. Organizations were typically focused on vulnerability assessments; the strategic impact of patch management as a compliance asset wasn’t recognized.
However, as computer and networking growth surged, malicious users found the lack of patching by organizations uncovered easy, and often trivial, targets. Statistics from law enforcement can easily illustrate the growth of cyber-crime and cyber-terrorism that were linked to weak systems that were not been properly patched. According to the CERT Coordination Center, a center of Internet security expertise located at Carnegie Mellon University, “Most intrusions result from exploitation of known vulnerabilities, configuration errors or virus attacks where countermeasures were available, including most major Internet worm/virus events.”
Even as attacks relating to known vulnerabilities exploded, patch management was not yet on the radar at executive levels. However, this would soon change as a number of highly-publicized data security breaches would drive lawmakers and pundits to implement federal mandates on IT security and privacy compliance.
Talking Senior Management’s Language
Why the resistance to patch management at the non-IT executive levels? As any IT manager can tell you, patch management can have an unforeseen impact on downtime. The potential for systems outages and lost productivity is valid and requires management to weigh the benefits of a one-hour outage verses the risk of a vulnerability taking the system down for a week. To combat this challenge, IT managers had to change how they spoke about patches -- making a business risk argument as opposed to security crying wolf.
As executives grew to understand the risks that inadequate patch management policies and strategies posed to the bottom lines and corporate reputations, senior management began to take notice. But, it was the drive for compliance that has had the greatest impact on making patch management a front runner topic in organizations from a management and financial standpoint.
Over the last few years, a number of regulations began driving compliance concerns and some, such as Sarbanes-Oxley and The Payment Card Industry (PCI) Security Standard (formally VISA CISP and MasterCard SDO), have specific guidelines mandating patch management processes. As patch management is becoming recognized not only as an ongoing technical issue, but also a business problem (and liability), governments and institutions are now formalizing compliance standards that specifically require validation of proper patch management policies and procedures. In turn, it’s become one of the most critical business issues facing organizations today. Fortunately, compliance requirements have given teeth to IT managers by mandating a patch management policy, rather than putting them in the difficult position of selling it to executives in spite of strained budgets and resources.
IT managers now make the business case for patch management, quantifying the impact in terms of business, brand and financial value through the use of standard financial risk management language. Realizing that exploits resulting from known vulnerabilities and a lack of proper patches is a measurable activity, (i.e., this worm cost us $1.2 million in lost productivity and revenue), senior management has been more apt to examine strategies to improve patch management, particularly as it relates to ever-evolving compliance requirements.
The Compliance Landscape
Many of the standards that are facing organizations today have specific patch management language. For instance, PCI requires that patches be installed within 30 days. Other compliance mandates in the past have been more aggressive, requiring patches to be applied “immediately.” However as any IT manager knows, “immediately” is vague at best and difficult to adhere to as there may by legitimate business reasons why a system has to remain online at any given period. The current trend is to specify either a minimum acceptable timeframe for patch application, or simply to specify that a defined repeatable process must be in place for the effective application of system and application updates.
The compliance requirements are further complicated by industry-specific mandates that impose an additional burden including the Federal Energy Regulatory Commission (FERC) for the energy industry, HIPAA in healthcare and VISA’s Cardholder Information Security Program (CISP) for retail organizations. These requirements do not fall entirely on the shoulders of large enterprises that may be better equipped to understand the requirements, but also on small and medium-sized businesses that may not have the finances or expertise to fully understand patch management and deploy an effective security strategy.
In the midst of this challenging landscape, it’s no wonder that many organizations are throwing their hands in the air and finding themselves at a loss as to how to comply. They may have lingering doubts about the importance of a patch management strategy, particularly if the mandates they are facing don’t call it out specifically. So how important is it?
Learning the Hard Way
One large West Coast merchant found out the hard way. In early 2004, the company uncovered a potential security breach that appeared to impact its payment-processing environment. This environment contained sensitive information ranging from bank account and credit card numbers, to customer names and in some instances, addresses and phone numbers. Basically, just enough information for a malicious user to commit financial fraud and identity theft.
The breach occurred to one of the main authorization routing servers and was the result of a worm infection that had spread from a perimeter Web server. The Web server was quickly identified, but only after it had sustained defacement that was reported by a customer. While a patch to protect against such an infection had been available to the public for more than six months, the organization did not have a comprehensive patch management solution to address its elaborate network environment and ensure that all critical systems were up-to-date. While the merchant had notified the proper authorities and affected customer base, the incident had caused significant financial damage, as well as seriously threatening the company’s brand and established customer trust.
Following the breach, the merchant's goal was to implement a revised security strategy and become compliant with the PCI Security Standard, which includes strict patch management controls. With an enterprise-wide patch management strategy in place, the organization also implemented an Intrusion Detection System (IDS) and within one month it was able to see actual reports of infection and exploit attempts against its Web servers that were avoided due to maintaining current patch levels. Because the IDS permits the merchant to see the attacks, it validates the success and effectiveness of the patch management strategy.
What Matters?
With clear evidence that patch management has a quantifiable business impact, compliance mandates in place and IT gaining the ear of senior management, what should organizations consider when implementing a comprehensive patch management solution?
I. Audit-ability
Many organizations have a procedure in place, but no formal policy to back it up and ensure implementation. In order to meet compliance requirements, patch management needs to be done in an auditable, formalized fashion.
II. Scalability
Patch management can be a time-consuming and resource-intensive process. As organizations evolve, whether growing or in some cases, consolidating, the approach needs to look at how it can be managed to support these changes to ensure that whatever is deployed today will work tomorrow, next month and next year.
III. Responsiveness with Multiple Regulations
Organizations need to look at compliance from multiple angles, requiring a strategy that complies with many different regulations. Point solutions that respond to specific regulations will be inadequate to meet growing compliance burdens the organization may face down the road.
IV. Cost
Cost is a factor in any purchasing decision. With patch management, organizations need to consider the resources that they will have to dedicate, and balance it against the cost. Forward thinking organizations will find that patch management is an investment with a potential for continued savings over the life expectancy of the program, both in terms of future costs and liabilities. Organizations need to be strategic about how they implement the policies and devote resources, as the alternative can be billions of dollars in losses from downtime, exploited information and damage to brand reputation.
The Future of Patch Management
With organizations continuing to suffer financial losses and non-productivity as a result of virus activity and related mass exploits, patch management has proven to be a necessary tool both in achieving regulatory compliance, and also as a cost mitigation step. Ensuring that the latest software updates, particularly security updates, are applied quickly and consistently across the enterprise -- small, medium or large -- will become an increasingly important part of every organization’s enterprise-wide system management and security programs. As such, organizations should anticipate that as centralization and consistent application practices and policies grow out of sheer necessity, patch management can be expected to become an even more prevalent component of legislation; those compliance mandates that don’t contain specific language on it today, likely will tomorrow.
What can be expected to change is the integration approach of the patch management controls, with tighter integration of change management and patch management processes tying the procedure to critical business processes to extend the benefits and ease the burden on IT staff. Organizations that approach compliance and patch management as components of a larger risk mitigation program will not only be better equipped to respond to evolving compliance burdens, but will also be better positioned to avoid attack and enhance their security posture, while reducing costs and freeing valuable IT resources to focus on bottom-line business results.
About the Author
Chris Novak is a Senior Security Consultant within Cybertrust’s Investigative Response Unit. He can be reached at chris.novak@cybertrust.com.
<< Previous Page
|
