Underlying causes of inconsistent patch management

This occurs quite often with patch management. Finding a missing patch or two is as predictable as urban sprawl.

But I'm not just finding new patches that administrators haven't had a chance to install; I'm finding unnoticed patches that are 1, 2 and sometimes 5 years old. Furthermore, this is happening in environments where patch management is taking place.

When I come across missing patches, I hear things like, "Oh yeah, I forgot about that system," "We're about to take that system offline," "That's not a critical server," and (my favorite), "My users wouldn't know how to exploit something like that anyway."

It is true that many patches aren't easily exploitable. However, the unapplied patches I've found are often the very patches that fix major flaws in Windows, like those discussed in the MS08-067 and MS05-039 security bulletins. These flaws can be exploited easily using the free Metasploit tools.

The result is that anyone with a physical connection to your network (no Windows logon is needed) can exploit such vulnerabilities in a matter of minutes to gain full administrator-level remote access to a system, as shown in Figure 1.

Figure 1: Using Metasploit to exploit a missing patch (click to enlarge).
[IMAGE]

Once a remote command ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator The state of enterprise security and emerging threats in 2009 Network intrusion detection and prevention and malware removal Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Windows Resource Protection (WRP) protects critical system resources How to secure BitLocker configurations Windows Vista security: Top 10 tips of 2007 Windows desktop security tips How to get -- and keep -- user support with security Structuring patch management in seven steps Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Secure Windows XP before a Windows 7 upgrade Nine common password oversights to avoid

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

prompt is established, the rogue user can setup backdoor user accounts, delete files and run programs.

If a missing patch is exploited like this, you probably won't find out about it until it's too late -- if ever.

So why do these gaps in the patching process still exist, especially if you're using a patch management tool?

Anything is possible, but the problem is likely related to one of the following:

1. Certain systems were offline during the specific patch cycle, and they have not synched up with the updates.
2. Someone intentionally or inadvertently selected ignore for a specific patch.
3. There is a lack of the right system-monitoring tools, which provide insight into the current status.
4. Not enough time was dedicated to the patch management process.
5. Security checks and vulnerability scans that could point out these gaps in a heartbeat were inconsistent.

You must close such gaps in your network's patch management and change management processes. The problem is simple to ignore, and the consequences are dire, but there is a simple fix.

To ensure the security of your environment, you should do the following:

1. Review your patching process and your patch management configurations on both the server side and the workstation side.
2. Periodically run a vulnerability scanner such as QualysGuard or GFI LANguard.
3. Dedicate time each month to ensure that all of your Windows systems are current.
4. If it comes down to it, step back and look at the bigger picture with your security documentation and processes, and verify that all the right people are communicating with one another.

Once you get your arms around this, it'll make the jobs of people like me less exciting, but that's fine -- we're in this to help you make your business become more secure.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.