Applying Patches | Inside Network Perimeter Security (2nd Edition)

The never-ending probes that reach our systems in an attempt to bypass perimeter defenses have taught us, the hard way, that we must take extreme care in making sure the host's applications and the underlying OS are patched on a timely basis. Vendors routinely release software patches to address vulnerabilities discovered during the lifetime of their software products. Keeping up to date with patches can be time intensive, but it is necessary in order to address the vulnerabilities before an attacker exploits them. At times, a serious vulnerability may be known, but the patch may not be yet available; you must be prepared to compensate for this exposure by temporarily adjusting other components of your security perimeter.

Tracking a System's Survival Time

SANS Internet Storm Center (ISC) keeps track of the average time between probes directed at individual IP addresses (http://isc.sans.org). Many such connection requests are initiated by worms, as they scan the network in search for new victims. ISC calls the time between such probes the "survival time" of a system. If the OS or its applications are not patched, the probe is likely to lead to a successful compromise of the machine. The scary trend is that the survival time is rapidly decreasing. At the time of this writing, this interval is at 16 minutes, approximately half of what it was a year earlier.

When deploying a fresh system, it is a good idea to install its OS and applications on an isolated network segment. You should not release the system to production before it is fully patched up. Otherwise, you run the risk of having the host compromised even before you finish setting it up.

In order to apply patches in a timely manner, you need to monitor security announcement forums used to post notices about discovered vulnerabilities and released patches. Some of our favorite notification newsletters, which provide information in a concise format, are listed here:

Subscribe to the Microsoft Security Notification Service at https://profile.microsoft.com/RegSysSubscriptionCnt.
Subscribe to the Sun Customer Warning System by sending an email message to security-alert@sun.com with the subject "subscribe cws."
Subscribe to the weekly bulletin SANS @RISK: The Consensus Security Alert, at http://www.sans.org/newsletters. This newsletter summarizes critical vulnerabilities and explains how to protect yourself from them.
Subscribe to the Windows and Linux weekly newsletters at http://www.securityfocus.com/newsletters. These newsletters document notable security events of the week.

In addition to these resources are numerous other mailing lists that provide cutting-edge vulnerability information. The most notable of these announcement forums are Buqtraq (http://www.securityfocus.com) and Full-Disclosure (http://lists.netsys.com/mailman/listinfo/full-disclosure). When signing up for these mailing lists, keep in mind that they are highly volume intensive.

Patch installation resolves several key security concerns, but reckless patching practices can have disastrous consequences. Although a patch typically corrects the faulty OS or application code, resolving the security issue, a patch could have side effects that prevent your custom scripts or applications from working properly. As we discuss in Chapter 19, you should test any patches before applying them to your production systems. By testing in a controlled environment, you can verify that the patch will resolve your security issues without breaking critical functions.