Get a glimpse inside the e-book "The complete patch management book" by Anne Stanton, president of Norwich Group, and Susan Bradley, Microsoft Small Business Server MVP. This series of book excerpts will help you navigate Chapter 1, "What is patch management?," courtesy of Ecora. Click for the complete book excerpt series.
What is a patch?
Software refers to the instructions mechanical devices receive to process commands in a certain manner. Typically, developers write software to perform a process in a prescribe fashion. However, as with any process deriving from human intelligence, there can be incorrect assumptions made, and the software might not perform as intended.
As Bruce Schnider and Niels Fergurson state in Practical cryptography:
Most engineers have to contend with problems like storms, heat, and wear and tear. A bridge designer only has to worry about three threats -- water, gravity and wind. All of these factors affect designs, but their effect is predictable to an experienced engineer. (This is) not so in security systems. Our opponents are intelligent, clever, malicious and devious; they'll do things nobody had ever thought of before. They don't play by the rules, and they are completely unpredictable. That is a much harder environment to work in.
A software designer has to worry about threats from an unlimited number of vectors. This means that the network administrator must consider such risks from these same threat vectors when analyzing a network's need for patches. Can the threats come from outside the organization or only from inside? What potential attack method might exploit a particular flaw? In a later chapter, we discuss resources for determining these threat vectors.
Software flaws threaten an organization in various ways. The most critical give an attacker full rights to a system. Many of these flaws stem from buffer overflows. Traditionally stack-based buffer overflows have been the largest category of security issues, and are places in the software where more data enters the system than the software is asking for. If the software designer did not anticipate this, the system would "crash." Perpetrators target buffer overflows to dump the processes to ensure that the system remains at an "administrative privilege" level, thereby forcing the system into "handing over the keys to the kingdom." When a patch bulletin indicates that the worse case scenario is that the attacker can "run code of his choice," this is the equivalent to that person logging in as administrator to a system.
Software patches themselves are also threats. After each security bulletin release, even with the rigorous testing done by the vendors on those applications typically broken by previous security updates, issues still occur. Documentation accompanying a security update addresses any known issues likely to develop following release of the update. Remember that issues directly caused by security updates qualify for a no-charge support call. In the United States, call 1-866-PC-SAFETY. To resolve International issues contact a local Microsoft office.
Testing patches, ensuring that they do not adversely affect systems and that they protect systems as intended, as well as applying patches, requires approval from management and may even require approval from critical line of business vendors. We discuss change management processes later and in detail. Nevertheless, you need adequate resources if these testing, ensuring, and applying processes and procedures are to work correctly.
Footnotes: Ferguson, Niels and Bruce Schneier "Practical cryptography," New York: John Wiley & Sons, Inc., 2003; "10-step emergency response plan for security attacks," Redmond, WA: Microsoft Corporation, 2004.
Click for the next excerpt in this series: Identifying the flaw
Click for book details or get more information from Ecora.