The National Fire Protection Association, National Fire Alarm Code, NPFA-72NFPA recommends testing along a range from weekly to monthly, depending on the type of system in place. However, a continuous realtime vulnerability and attack detection of operating systems and applications could reveal the presence of malware inside your organization.
THE CHALLENGES OF PATCH MANAGEMENT
Patch Management and the reporting generated by that activity can be helpful in determining if an endpoint is having support issues or is potentially compromised – it can work to detect the presence of malware – which may have escaped detection by other security solutions. Whatever the state of a broken endpoint, it needs to be remediated as a priority item.
Patching an operating system or even large complex applications is an intrusive and intensive computer operation. If something is not configured properly or the machine is potentially compromised, there is an extremely high likelihood there is something broken with the endpoint. From a user perspective, a machine that is failing to patch properly is probably a machine that is giving the user other issues – ranging from slow performance to frustrating behaviors.
Generally, a patching methodology that includes a reboot before patching (to close down applications left open or in use by users) and a reboot after (if required), provides a high success rate of successfully patching endpoints sometimes as high as 99%. It is that 1% or smaller number that fail and need to be investigated. Any machine that returns back errors has to be dealt with fairly swiftly for two important security reasons.
The first reason is that out of date software – because it can’t be patched - is exactly what cybercriminals target. The majority of malware tools exploit known vulnerabilities in software such as Java, Adobe products PDF reader and Flash, as well as web browsers and the office suite. Even Silverlight, a Microsoft technology similar to Adobe Flash (and present on almost every single Windows machine since Windows Vista), has cybercriminal exploits available.
The cybercriminal, crime-as-a-service industry quickly reverse engineer the patches (sometimes as quickly as four days) in order to discover how to code an application or operating system exploitation tool, based upon the vulnerabilities the software vendor is trying to fix. In many cases, it is a race against time – patching before a user encounters targeted exploits; if the patch is present and correctly installed it provides immunity from the exploit. The more unpatched or un-patchable machines in the enterprise, the more likely it is for an outbreak of ransomware or installation of a stealthy Trojan to conduct a data breach.
The second reason for dealing with an endpoint with patching issues is the endpoint may be already compromised by a malicious Trojan. Trojan malware can hijack certain operating system services such as DCOM in order to run (and possibly infect) other systems on the network. The antivirus program itself may not be able to defend the machine; because it may have been compromised as well – or has been shut down or even uninstalled.
PATCH MANAGEMENT REPORT
Receiving a patch management report that indicates your firm’s anti-virus or other security tools “can’t be found” or “can’t be patched” is an immediate issue of concern. If the user works in a sensitive or executive level capacity at your company, the matter may be urgent.
The patch management report on the endpoint is a great place to start for Digital Forensic Incident Responders (DFIR). If problems and issues have shown up on the machine from attempts to patch, this may give DFIR team members a good place to start the investigation. By undergoing a side-by-side comparison between a known good machine and the “problem” machine, evidence of a significant security issue can be revealed.
Patch Management provides tremendous value to an organization to deliver proactive security, but it is sometimes overlooked as a potential data breach “detection” system. If an endpoint is broken, it may have been “broken” by a malicious attack.
Also Read: Data Breach Fire Prevention