Lesson 2: Apply patches promptly

- It should be old news by now that patching is a crucial security practice. Missing patches are one of the most common root causes of security breaches. And that remains true in the Maersk case. Do you remember how one of the two ways that Notpetya spread was by exploiting a vulnerability the SMB protocol used by Microsoft Windows. Well this wasn't first time that this vulnerability was exploited. The vulnerability code named Eternal Blue was developed by the National Security Agency and exposed to the world earlier in 2017.

Microsoft released a patch for the Eternal Blue vulnerability in March. Months before the Maersk attack. If Maersk had applied the patch they might have mitigated the impact of the Notpetya attack or even blocked it entirely. Why is patch management so important in the first place? Well modern computing systems and applications are extremely complicated. It might not surprise you to learn that there are millions and millions of lines of code contained in each major piece of software that you run.

For example, the Linux kernel is the core part of the operating system that handles input, output, memory management, CPU management and other core tasks. This central piece of the operating system contains over 24 million lines of code and it changes at an astonishing rate. Thousands of lines of code are added, removed and changed each day as the kernel evolves. Given the complexity of modern software it's inevitable that developers will make mistakes.

And some of those mistakes will lead to security vulnerabilities. In the security community, we have a well understood process for managing these vulnerabilities. When a company learns of a vulnerability in their software, they analyze the issue and then develop a fix for the problem known as a security patch. They then release this patch through their update mechanism. And administrators around the world apply the patch and correct the vulnerability. From an administrators perspective there's a lot of work to do.

Modern enterprises may run several different operating systems and hundreds of applications. They also have routers, switches, internet of things devices, software libraries and many other components that are being patched on a regular basis. Vulnerability management processes help administrators get a handle on this complexity. A mature vulnerability management process includes scanning systems for vulnerabilities, the application of patches, tracking of remediation and reporting of results.

You'll find a great set of requirements for a vulnerability management program in NIST special publication 800-53. This document includes a set of requirements that Federal Government agencies must follow. But they're good practice for anyone running a security program. The section of NIST 800-53 on vulnerability management requires that you regularly scan systems and applications for vulnerabilities, analyze the results of those scans. Remediate vulnerabilities that you deem legitimate and share information about vulnerabilities with others.

No matter why your building a vulnerability management program, the basic tools and processes are the same. But before you start, it's important that you know what rules apply to you and your organization so that you can be sure to design your program to satisfy those requirements.