Security Research
Showing results for 
Search instead for 
Do you mean 

HP Security Briefing, Episode 22: The hidden dangers of inadequate patching strategies

Dustin_Childs ‎06-04-2015 10:00 AM - edited ‎06-11-2015 01:04 AM

Our latest HPSR Security Briefing looks at the some of the problems with the current state of security patches. You can listen to this episode of the HP Security Briefing podcast on the Web, on YouTube , or via iTunes, and you can read or download the detailed companion report here. The archive for this and all previous Briefings can be found and bookmarked here.

 

In 2014, federal regulators imposed a $150,000 fine on a healthcare provider for having unpatched software throughout their network. At first glance, this seems a reasonable action for a clear violation of HIPAA standards. However, when reviewing all the problems in the current state of security patches, the picture becomes more muddled.

This provider is not alone. According to the US-CERT, as many as 85% of targeted attacks are preventable by applying a security patch. Some of these attacks are over five years old but are still being successfully used by attackers. This leads to an interesting question: Why do people not apply security patches? The answer is more complex than it may seem.

 

The Briefing takes a look at the current state of security patches and reveals some dangers and pitfalls across the industry. Before getting into any problems with the patches themselves, we need to understand why patches are needed at all. To understand this, two viewpoints must be considered: the vendor producing the patch and the customer applying the patch. No vendor has ever released perfect, secure software, so post-release patches are inevitable. Vendors must have a plan for delivering these updates to their customers. For the end user, software must be patched not just to increase the security of a program, but also to comply with industry standards and government regulations.

 

Of course, applying patches in an enterprise is not trivial and can be costly – especially when problems occur. The most common excuse given by those who disable automatic updates or fail to install patches is that patches break things. In the last half of 2014 alone, users incurred major disruptions after installing patches from Microsoft, Apple, Adobe, and Oracle. There are also times when a security patch itself introduces a security problem. In other cases, the patches do not work as advertised. Earlier this year, a report submitted to HP’s Zero Day Initiative (ZDI) showed how the original patch failed to completely fix the link vulnerability used by the Stuxnet virus. Issues in quality degrade users trust in patching and eventually lead to patches not always being applied when they should.

 

Even when the security patch works completely, other situations also make users leery of installing patches. Some patches come with “bonus” software that installs additional toolbars, changes their default web browser, or otherwise installs software the user may not want or need. There remains some confusion over whether pirated systems can be patched (spoiler: they can), and are apprehensive about silent fixes. Even when it all works and nothing extra is installed, a reboot is required – adding further disruptions and annoyances.

 

Software vendors must earn back the trust of users – their direct customers – to help restore faith in automatic updates. One key strategy to accomplish this must be the open and transparent communication of patches and their impact. Customers must be told when patches are available, what the patches do, and what side effects the patches may have. When problems arise, vendors should be clear about what is happening and offer workarounds to those affected. In short, vendors need to approach the communications surrounding security patches as a matter of customer protections, not press relations.

 

This Briefing goes through all of these issues and more, including the abandonment of products and how patches can impact cloud computing providers. In the coming struggle for security in the Internet of Things (IoT), mistakes and flaws in our current patching processes will multiply by several orders of magnitude. We cannot repeat this same flawed process in a completely interconnected world and keep customers safe at the same time. We must demand better of vendors, and vendors must demand better from themselves.

 

The story of security patches is still being written. Let’s take the opportunity to work together to make it a good tale.

 

0 Kudos
About the Author

Dustin_Childs

I am a senior security content developer with Hewlett Packard Enterprise Security Research. In this role, I write and edit security analysis and supporting content from researchers. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of HPE Enterprise Security Products .

Comments
SBradley
on ‎06-04-2015 11:09 AM

Preach it Brother Dustin. 

 

On the Microsoft side we are missing the early heads up emails on security bulletins, MSRC webcasts, SRD blog posts and in general a ton of communication is now missing regarding updates.

As is pointed out, this impacts the trust of patching.

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all