Don't you hate it when you have a good system and you think everything is running fine, and then you're dinged on a security assessment report for a gap? Or worse, what if your organization experiences a security breach? Few things dampen the spirit more than having someone point out a flaw you thought couldn't exist.
This occurs quite often with patch management. Finding a missing patch or two is as predictable as urban sprawl.
But I'm not just finding new patches that administrators haven't had a chance to install; I'm finding unnoticed patches that are 1, 2 and sometimes 5 years old. Furthermore, this is happening in environments where patch management is taking place.
When I come across missing patches, I hear things like, "Oh yeah, I forgot about that system," "We're about to take that system offline," "That's not a critical server," and (my favorite), "My users wouldn't know how to exploit something like that anyway."
It is true that many patches aren't easily exploitable. However, the unapplied patches I've found are often the very patches that fix major flaws in Windows, like those discussed in the MS08-067 and MS05-039 security bulletins. These flaws can be exploited easily using the free Metasploit tools.
The result is that anyone with a physical connection to your network (no Windows logon is needed) can exploit such vulnerabilities in a matter of minutes to gain full administrator-level remote access to a system, as shown in Figure 1.
Once a remote command prompt is established, the rogue user can setup backdoor user accounts, delete files and run programs.
If a missing patch is exploited like this, you probably won't find out about it until it's too late -- if ever.
So why do these gaps in the patching process still exist, especially if you're using a patch management tool?
Anything is possible, but the problem is likely related to one of the following:
- Certain systems were offline during the specific patch cycle, and they have not synched up with the updates.
- Someone intentionally or inadvertently selected ignore for a specific patch.
- There is a lack of the right system-monitoring tools, which provide insight into the current status.
- Not enough time was dedicated to the patch management process.
- Security checks and vulnerability scans that could point out these gaps in a heartbeat were inconsistent.
You must close such gaps in your network's patch management and change management processes. The problem is simple to ignore, and the consequences are dire, but there is a simple fix.
To ensure the security of your environment, you should do the following:
- Review your patching process and your patch management configurations on both the server side and the workstation side.
- Periodically run a vulnerability scanner such as QualysGuard or GFI LANguard.
- Dedicate time each month to ensure that all of your Windows systems are current.
- If it comes down to it, step back and look at the bigger picture with your security documentation and processes, and verify that all the right people are communicating with one another.
Once you get your arms around this, it'll make the jobs of people like me less exciting, but that's fine -- we're in this to help you make your business become more secure.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in October 2009