The never-ending probes that reach our systems in an attempt to bypass perimeter defenses have taught us, the hard way, that we must take extreme care in making sure the host's applications and the underlying OS are patched on a timely basis. Vendors routinely release software patches to address vulnerabilities discovered during the lifetime of their software products. Keeping up to date with patches can be time intensive, but it is necessary in order to address the vulnerabilities before an attacker exploits them. At times, a serious vulnerability may be known, but the patch may not be yet available; you must be prepared to compensate for this exposure by temporarily adjusting other components of your security perimeter.
When deploying a fresh system, it is a good idea to install its OS and applications on an isolated network segment. You should not release the system to production before it is fully patched up. Otherwise, you run the risk of having the host compromised even before you finish setting it up.
In order to apply patches in a timely manner, you need to monitor security announcement forums used to post notices about discovered vulnerabilities and released patches. Some of our favorite notification newsletters, which provide information in a concise format, are listed here:
In addition to these resources are numerous other mailing lists that provide cutting-edge vulnerability information. The most notable of these announcement forums are Buqtraq (http://www.securityfocus.com) and Full-Disclosure (http://lists.netsys.com/mailman/listinfo/full-disclosure). When signing up for these mailing lists, keep in mind that they are highly volume intensive.
Patch installation resolves several key security concerns, but reckless patching practices can have disastrous consequences. Although a patch typically corrects the faulty OS or application code, resolving the security issue, a patch could have side effects that prevent your custom scripts or applications from working properly. As we discuss in Chapter 19, you should test any patches before applying them to your production systems. By testing in a controlled environment, you can verify that the patch will resolve your security issues without breaking critical functions.