Assessing Security Vulnerabilities and Applying Patches

Download ACSC Protect Notice, Assessing Security Vulnerabilities and Applying Patches (PDF), April 2016

Introduction

  1. Applying patches to operating systems, applications and devices is critical to ensuring the security of systems. The Australian Signals Directorate (ASD) currently rates this activity as one of the most effective security practices organisations can perform.
  2. This document has been developed by ASD to provide guidance on assessing security vulnerabilities in order to determine the risk posed to organisations if patches are not applied in a timely manner. In this document, a security vulnerability refers to a flaw in an operating system, application or device rather than a misconfiguration or deployment flaw.

Assessing security vulnerabilities

  1. There are multiple information sources that organisations can use to assess the applicability and risk of security vulnerabilities in the context of their environment. This can include information published in vendor security bulletins or in severity ratings assigned to security vulnerabilities using standards such as the Common Vulnerability Scoring System (CVSS).
  2. A risk assessment allows organisations to assess the severity of security vulnerabilities, the likelihood of it being exploited by an adversary and the risk posed to their information or systems if patches are not applied in a timely manner. When conducting a risk assessment, it is important for organisations to consider the following factors:
    1. if high value or high exposure assets are impacted, this could lead to an increased risk
    2. if assets historically targeted are impacted, this could lead to an increased risk
    3. if a patch was released outside of a vendor’s regular patch release schedule, this generally indicates a security vulnerability is being actively exploited in the wild which could lead to an increased risk
    4. if any exploits related to a security vulnerability are wormable or can be automated, this could lead to an increased risk
    5. if mitigating controls are already in place, or soon to be in place, for all impacted assets, this could lead to a decreased risk
    6. if impacted assets have a low risk of exposure, this could lead to a decreased risk.
  3. Examples of risk assessment outcomes for security vulnerabilities are:
    1. extreme risk
      • the security vulnerability facilitates remote code execution
      • critical business systems or information are affected
      • knowledge of exploits exist in the public domain and are in use
      • the system is internet-connected with no mitigating controls in place
    2. high risk
      • the security vulnerability facilitates remote code execution
      • critical business systems or information are affected
      • knowledge of exploits exist in the public domain and are in use
      • the system is in a protected enclave with strong access controls
    3. moderate risk
      • the security vulnerabilities facilitates an adversary impersonating a legitimate user on a remote access solution
      • the remote access solution is exposed to untrusted users
      • the remote access solution requires two-factor authentication
      • the remote access solution prevents the use of privileged user credentials
    4. low risk
      • the security vulnerability requires authenticated users to perform SQL injection attacks
      • the system contains non-sensitive publicly-available information
      • mitigating controls exist that make exploitation of the security vulnerability unlikely or very difficult.

Applying patches

  1. Once a patch is released by a vendor, and the associated security vulnerability has been assessed for its applicability and importance, the patch should be deployed in a timeframe which is commensurate with the risk posed to information or systems. Doing so ensures that resources are spent in an effective and efficient manner by focusing effort on the most significant risks first.
  2. When patching, organisations may be concerned about the risk of a patch breaking systems or applications and the associated outage this may cause. While this is a legitimate concern, and should be considered when deciding what actions to take in response to security vulnerabilities, many vendors perform thorough testing of all patches prior to their release to the public. This testing is performed against a wide range of environments, applications and conditions. Often the immediate protection afforded by patching an extreme risk security vulnerability far outweighs the impact of the unlikely occurrence of having to roll back a patch.
  3. It is essential that security vulnerabilities are patched as quickly as possible. Once a vulnerability in an operating system, application or device is made public, it can be expected that malicious code will be developed by adversaries within 48 hours. In fact, there are cases in which adversaries have developed malicious code within hours of newly-discovered security vulnerabilities (eg, The Register Hacking Team Flash exploit revealed lightning reflexes of malware toolkit crafters and The Register DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned).
  4. The following are ASD’s recommended deployment timeframes for patches based on the outcome of risk assessments for security vulnerabilities:
    1. extreme risk: within 48 hours of a patch being released
    2. high risk: within two weeks of a patch being released
    3. moderate or low risk: within one month of a patch being released.
  5. In situations where resources are constrained, organisations are encouraged to prioritise the deployment of patches. For example, patches could be applied to workstations of high risk users (eg, workstations used by executive officers and their support staff, HR staff, FOI staff and public relations staff) within 48 hours, followed by all other workstations within two weeks.

Temporary workarounds

  1. Temporary workarounds may provide the only effective protection if there are no patches available from vendors for security vulnerabilities. These workarounds may be published in conjunction with, or soon after, security vulnerability announcements. Temporary workarounds may include disabling the vulnerable functionality within the operating system, application or device, or restricting or blocking access to the vulnerable service using firewalls or other access controls.
  2. The decision as to whether a temporary workaround is implemented should be risk-based, as with patching.

Example risk assessment

  1. The following is a simplified example of a risk assessment for a critical Microsoft Office remote code execution security vulnerability, the ratings for consequence and likelihood were derived from previously defined values in the organisation’s risk assessment framework:
    1. Consequence of malicious code reaching a workstation: Significant (5)
    2. Likelihood of targeting by an adversary using the exploit: Likely (4)
    3. Risk: Extreme (9).
  2. While the above risk assessment indicated that the risk of not applying a patch for the security vulnerability was extreme, the organisation had a number of mitigating controls already in place such as application whitelisting and technical controls preventing privileged users from reading emails and opening attachments as well as browsing the web. After assessing the impact of these mitigation controls on the consequence of malicious code if it reached a workstation, the risk assessment was updated to:
    1. Consequence of malicious code reaching a workstation: Negligible (2)
    2. Likelihood of targeting by an adversary using the exploit: Likely (4)
    3. Risk: Moderate (6).
  3. As a result of the risk assessment, the organisation determined that the risk of not applying the patch in their threat environment, given the mitigating controls they already had in place, to be moderate. As such, they applied the patch to their workstations within two weeks of the patch being released.

Summary

  1. By maintaining a streamlined patch management strategy, including an awareness of information sources used to assess the applicability and risk of security vulnerabilities; an awareness of the regular patch release schedules of vendors; and defined responsibilities for individuals involved in the assessment of security vulnerabilities and application of patches, organisations can position themselves to act swiftly upon security bulletin or patch releases. In doing so, organisations can dramatically reduce the time between noticing information on new security vulnerabilities, assessing the security vulnerabilities and applying patches or temporary workarounds where appropriate.

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian Government systems.
  2. ASD’s Strategies to Mitigate Targeted Cyber Intrusions complements the advice in the ISM.
  3. Microsoft Australia If you do only one thing to reduce your cybersecurity risk provides additional guidance on performing patching in complex environments such as medium and large Australian government organisations and enterprises.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.