Small Business Defense – Patch Management and Defense in Depth
If you recall from yesterday, you’re in a lot of trouble. You have all these patches coming at you, and you have to apply them quickly but make sure that they don’t break anything. This isn’t easy, but what follows is a simple list of things to check. It’s far from complete, but if you’re not managing your patches already, it’s a step in the right direction.
Do you really need that patch?
Remember that patches fix specific problems in specific pieces of software. You can dramatically simplify the situation by reducing the software that is installed. If you don’t use instant messaging in your business, there’s no reason to have it installed. The same goes for various games and peer to peer applications. Depending on what you do, it may also apply to development tools and office applications. Remember, if it’s there to be exploited, it can’t be exploited.
Is there another option?
Many patches cover specific attack vectors. For example, different applications often listen for connections on specific ports. Sadly, many of them are installed in such a way as to connect with anyone that wants. Thus, if you have a payroll application that listens on port 11235 (eureka) but only needs to be accessed by the CFO, you can lock connections down so that only the CFO can use it. If you do that (and the CFO’s PC is secure), you might be able to get away with excluding or delaying the patch.
Also, many applications run at a higher user level than is necessary. Some people may have administrator rights to their own systems. They may even need them to install software and do their daily jobs. However, do they need them to use Internet Explorer when they connect to Facebook? Probably not. Using a tool like Drop My Rights or avoiding IE alltogether and using Firefox, would mitigate this problem.
Despite my issues with virtualization, it is a useful technology. If you have a full virtual infrastructure, you can quickly copy a machine, apply a patch, and run a suite of automated tests to see if it works OK. If you’re a bit of risk taker, you can even flip this around and apply the patch as soon as it becomes available, and simply make a copy of the machine in case it does cause problems. That way, you’re protected as quickly as possible.
Remember, a piece of software should be easily accessed by those that need it, and impossible to access by those that don’t. It’s a bit like your bed. You need to sleep in it. Depending on your living situation, others may need to sleep in it as well. Thus, you need doors so you can get into your house (where you presumably keep your bed). However, you don’t want random people coming in off the street and sleeping in your bed. That’s why you put locks on the doors.
If you only apply your patches on some of your servers, it’s like only locking your front door but leaving your back door hanging open. Eventually, you’ll stumble home exhausted from your day, and find a group of strangers in your bed.
You have to realize that patching is essential, but isn’t enough. You can apply hardening techniques like those above and antimalware techniques like HIPS, as mentioned earlier. You can lock down your network and user rights. There are a lot of other things that you can do as well. However, you have to apply the patches.
There are technologies that can be used to keep things up to date. There are technologies that can be used to automatically test your patches. There are technologies that can help you determine if a particular patch is needed. However, before any of these can be successful, you have to commit to the reality that patches have to be applied as soon as possible, and accept that you are placing your business at risk if you do not.