You Can’t Patch, What You Don’t Know

You Can’t Patch, What You Don’t Know

See Previous Issue:  Who is responsible for patch management?

In my previous articles I have discussed the importance of patch management and how this is a complex challenge in the modern enterprise. This article will focus on another challenge – knowing what you have in your IT environment. As a friend once told me “you can’t patch, what you don’t know you have”.

The December 2018 US House of Representatives Committee on Oversight and Government Reform Report on the Equifax Data Breach stated:

“The company’s lack of knowledge about the software used within its legacy IT environment was a key factor leading to the 2017 data breach. Equifax’s Patch Management Policy relied on its employees to know the source and version of all software running on a certain application in order to manually initiate the patching process. Therefore, the lack of visibility regarding Apache Struts use in the Equifax environment greatly increased the likelihood an unpatched vulnerability could go unnoticed”

In 2018 US-CERT reported over 16,000 vulnerabilities. The shear volume of reported vulnerabilities (which have significantly increased over the last two years) is a challenge. Many researchers report that the exploitation of software vulnerabilities is the number one external intrusion method used in cybersecurity data breaches.

How do you determine which vulnerabilities should be a concern for your organization? One method is to be able to relate vulnerabilities identified against the specific technologies in your IT estate. In other words, an IT asset inventory.

An IT asset inventory is an outcome of a sound IT Asset Management program.  The International Association of Information Technology Asset Managers (IAITAM) defines IT Asset Management as “…a set of business practices that incorporates IT assets across the business units within the organization. It joins the financial, inventory, contractual and risk management responsibilities to manage the overall life cycle of these assets including tactical and strategic decision making”.

IT Asset Management requires the implementation of processes and technology to record and track hardware and software throughout its lifecycle from procurement through to disposal/retirement.

How does IT Asset Management support the patch management process?

  • Asset management discovery tools provide data about hardware and software assets that can be compared with scanning and monitoring tools used by security professionals to identify potential “unrecorded assets”
  • Asset management tools can provide detailed information about the operating system, including version and patch levels.
  • When this data is combined with information about the business context of the IT asset (eg business process it supports, physical location, whether it is internet facing etc) then security professionals can use this data to help make informed risk decisions about patching criticality and prioritization.
  • Asset inventories can also provide data about the system administrators responsible for maintaining the asset. This is useful to security professionals to establish a point to contact regarding patching.

Once a security vulnerability has been identified, information managed by the IT Asset Management team such as software deployment, configuration, and asset data can assist by allowing an organisation to quickly report on where vulnerable software installations are located. This helps management understand the exposure and plan the remediation. It’s important to note that this use of configuration information is only possible if the organisation’s IT Asset Management processes are mature and up-to-date.

The US House of Representatives Committee on Oversight and Government Reform commented on Equifax’s IT asset management as follows: “It is critical for an organization to know what assets are present within its IT environments to make accurate and informed risk determinations – such as when, and how, to patch a vulnerable system. As the Office of Personnel Management’s Inspector General warned prior to the 2015 OPM data breach, “failure to maintain an accurate inventory undermines all attempts at securing OPM’s information systems.

Responsibility for the proper management of IT risk must be shared between the IT and Security teams. It was Security’s responsibility to detect vulnerabilities present within the Equifax environment. Security was unable to do this for ACIS because Equifax did not keep track of the presence of Apache Struts within the ACIS application. Therefore, the lack of a comprehensive inventory did prevent Security from properly doing its job”.

There are two major challenges with any IT Asset inventory: (1) is it comprehensive, and (2) is it up-to-date? A comprehensive IT asset inventory would include information about all the technology that is used within a system. This would include: hardware, operating system, middleware, database, and application data. An up-to-date IT asset inventory requires sound processes to record additions, disposals and movements of IT asset components as they occur.

For an IT asset inventory to be comprehensive it needs to be able to identify all components of the system, including middleware. Today there are automated software composition analysis tools that can interrogate systems to determine the specific open source and third party components used in the system. Keeping the IT asset inventory up-to-date requires strong integration with other supporting processes such as procurement, change management, and configuration management.

What happens when IT asset management inventories are not comprehensive or up-to-date? In my experience, I see a loss of trust in the IT asset management processes. Different groups then generate their own lists or inventories. The result is that there is no golden record of IT assets. Different lists are maintained using different processes and can not be guaranteed to be comprehensive or up-to-date.

Once a vulnerability is announced and/or a patch is available, IT operations and security personnel need to quickly identify the impacted systems and ensure they are patched. Establishing and maintaining an accurate inventory is a challenging task but is vitally critical to the security of the organization.


Questions for Executives

Questions for your organization to consider:

  1. Does your organization have a comprehensive IT inventory that identifies systems and sub-components and the related system owners and custodians?
  2. How is the inventory updated when changes occur in systems,networks, and environments?
  3. What checks and monitors are in place to help ensure the IT inventory remains accurate (eg. physical reconciliations, automated scanning)?
  4. Does your inventory and patching process leverage automation to ensure it is readily updated and accurate?

Next issue:  Policies are Great, Execution is Better

Contact Graeme to schedule a time to speak to your Board or Executive Team.