The Challenge of Patch Management

Depending on where I travel and with which customers I talk, patch management is still the number 1 issue coming up. Not only is the challenge to deploy the updates – much worse, there is still an awareness issue in a lot of markets. People know that they should patch but too often do not do it – and if they do, well, there is no real process attached to it. Additionally, one of the issues I often raise publically is, that a lot of companies still focus on Microsoft products "only". I basically like it, when they keep "our" part of the infrastructure current but there is a lot more…

We all know that the base for any security in any infrastructure is to stay current – often not only on patches but on software versions as well. I guess we all agree on that. But it gets worse. What about firmware and BIOS? How will we be able to keep them current? What do we do with protocols that are flawed, which need a major migration?

The reason, why I come up with this is, that I read three articles this morning all going into this direction:

• Remember the DNS flaw discovered by Dan Kaminsky five years ago: Major DNS flaw could disrupt the Internet? It is basically a flaw in the DNS protocol and the mitigation would be to migrate to DNSSec. Now NIST published a study with the result that 5 years after major DNS flaw is discovered, few US companies have deployed long-term fix – in other words 76% of the US federal agencies, 1% of the US industry and 1% of the US universities have deployed DNSSec…
• You might have read about the UPnP vulnerability, which was published in the last few days? Well, 50 Million Potentially Vulnerable to UPnP Flaws… According to this article, Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. So, let's assume all these vendors publish a fix, a new firmware – do you have any way to deploy this firmware with reasonable efforts?
• Another one (again in the last few days): More Than A Dozen Brands Of Security Camera Systems Vulnerable To Hacker Hijacking.

And there are a lot of similar challenges. How do we handle such updates? How do we even find them? We have seen a lot of these issues recently in hardware and even in goods, which have computers embedded – like cars.

This is still a very, very manual thing and I have currently no idea how to address such challenges besides having a good inventory, and understanding of the business processes to do a proper risk assessment and then a process handling the security updates. What would be needed from your point of view?

My real fear is that we will see the attacks moving down the stack more broadly. If you can control the routers in a target's environment, well this would definitely be an interesting thing.

Roger