One Word – “Patches”

Solutionary Blog and Bloggers

Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

For more information about Solutionary, click here.

To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers:

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security  Mike Hrabik, President and CTO             Don Gray, Chief Security Strategist       Court Little, Director of Strategic Security Joseph Blankenship, Director of Marketing 
Doug Picotte, Regional Technical Manager
Rob Kraus, Director of Research               Erik Barnett, Regional Technical Manager Jose Hernandez, Security Consultant
Jozef Krakora, Sr Product Manager      Robert Jeffries, Research Analyst, Security Engineering Research Team (SERT)

Subscribe to our blog

Your email:

Browse by Tag

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

One Word – “Patches”

Posted by Vincent Ragosta on Tue, Jan 17, 2012 @ 02:12 PM
  
  
  
Add to delicious  delicious  
  

I can picture the scene in my head.  A wise, time-tested senior security administrator takes the newly hired junior administrator aside and states in a firm voice, “One word – patches.”  We all know that patching is a necessity, but how many of us audit all of the software on every system to ensure it is running the most up-to-date version?  Deploying patches in a sluggish manner can turn a healthy system into a ticking time bomb.

We see some interesting things in our Security Operations Center (SOC).  Monitoring devices across several clients lends us a bird’s-eye view of activity propagating across our client base.  Lately, the SOC has noticed an increase in some remote code injection scans, which involves sending code to a poorly written application to perform malicious activity.  These scans have targeted an AWStats vulnerability in versions prior to 6.3 (CVE-2005-0116) and phpThumb version 1.7.9 (CVE-2010-1598).  Something should stand out in those CVE numbers—the year!  The AWStats vulnerability was first reported in 2005 and the phpThumb vulnerability in 2010.  One can only infer that running these scans is still “profitable” for whatever malicious entity is behind this activity.  In other words, there are still enough unpatched, vulnerable systems running old versions that are ripe for exploitation.

There truly is no excuse for not patching software, especially software running on publically accessible systems.  So why are organizations not patching?  While it at first may appear to be complacency, some system administrations are reluctant to patch because they adopt the mentality of “if it’s not broken, why fix it?”  However, taking the time to patch while the system is still functioning healthfully can save time and stress by avoiding attacks and vulnerabilities.  Further, patches should be implemented in a timely fashion.  Our fabled time-tested security administrator knows the value of patches, but perhaps due to long held dogma, still insists on testing patches before deploying them.  This may be a grave mistake.  Any time spent testing a patch increases the window of opportunity for an attacker to find a vulnerable system and exploit it.  

So, stay abreast of any patches that are available for the software you utilize and deploy them as quickly as possible.  If you are not keeping on top of your patches, someone may knock on your door and remind you.

 

describe the image

Tags: , , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics