4

Problem

I'm trying to sell the idea of organizational patch/update management and antivirus management to my superiors. Thus far, my proposition has been met with two responses:

  1. We haven't had any issues yet (I would add that we know of)
  2. We just don't think it's that big of a risk.

Question

Are there any resources available that can help me sell this idea?

I've been told that 55-85% of all security related issues can be resolved by proper anti-virus and patch/update management but the individual that told me couldn't substantiate the claim. Can it be substantiated?

Additional Information

1/5 of our computers (the ones on the building) have Windows update turned on by default and anti-virus installed. 4/5 of our computers are outside corporate and the users currently have full control over anti-virus and Windows updates (I know this is an issue, one step at a time).

James Hill
  • 143
  • 8
  • Well Sony lost all its users information due to unpatched version of Apache. Its not Windows, but its an example of a massive security breach due to running out of date software. http://techland.time.com/2011/05/05/security-expert-sonys-network-unpatched-and-had-no-firewall-installed/ I think anecdotes are most effective for non-tech people personally. – thatidiotguy Jun 26 '13 at 18:08
  • "4/5 of our computers are outside corporate and the users currently have full control" - welcome to the world of BYOD and MDM. – TheCleaner Jun 26 '13 at 18:18
  • av solutions don't cover 55-85% of security related concerns, least priviledge does. Somebody gets to play the risk vs rewards game. – tony roth Jun 26 '13 at 18:20
  • @tonyroth, that stat was presented to me as a package - AV + Windows updates. – James Hill Jun 26 '13 at 18:27
  • @JamesHill both patching and av don't do squat if you don't maintain control of admin access, remove admin privs from users and you gain 80+% more security. – tony roth Jun 26 '13 at 18:33
  • 1
    @tonyroth, I agree with you completely. I could **never** sell it (nor would I want to). We have an IT dept. of one person. I can't manage computers in 20+ countries by myself. Unfortunately, it's the reality of our situation. **Disclaimer**: I inherited this. This is not my doing... – James Hill Jun 26 '13 at 18:35
  • This ^^ is when you use SaaS cloud services to handle patch management/AV/client_monitoring. – TheCleaner Jun 26 '13 at 18:40
  • @JamesHill understood, sorry if it seemed like I was getting personal. Good luck then also go to micrsoft.com/security they have all sorts fo resources that can show the benefits of the different security systems. Then its a risk/reward issue and if needed I'd get them to sign off on what ever they (the bean counters) choose. – tony roth Jun 26 '13 at 18:40
  • @thecleaner yes that or vdi\remote session then it doesn't really matter how much the enduser screws up their pc. – tony roth Jun 26 '13 at 18:43
  • 2
    Tell your superiors to check with their insurance carrier (general liability, business interruption, malpractice, etc.) to see what their position on patch management and anti-malware solutions is. I bet they have strong opinions. – longneck Jun 26 '13 at 18:43
  • James, it is not generally acceptable to [cross-post](http://security.stackexchange.com/questions/38062/how-important-is-patch-management) the same question to two or more SE sites. – Deer Hunter Jun 26 '13 at 19:35
  • 1
    @DeerHunter, I recognize that (I've been around SE for a while). After posting on security.SE I thought I probably should have posted on SF.SE. I intended to delete the first question but it was answered first. My bad :) – James Hill Jun 26 '13 at 19:51
  • The "duplicate" is none. The question is *not* whether to update at all but what use a patch management solution is in his specific environment. – the-wabbit Jun 27 '13 at 05:46

3 Answers3

6

I can tell you that Patch Management is high on the list of every IT Auditor and which does get checked quite often. Not patching your systems leaves them vulnerable for the prying eyes of attackers. Patching is required to be done, but it should also be tested before being pushed to production. The only mandatory patches you generally need to do are security patches. Regardless if the system is only LAN or WAN accessible (although WAN needs to be prioritized).

Now you can say "hey what's the risk? We haven't had any issues like that before!". Well in some countries, if you have a breach which leaked personal information and it is shown that you did not take appropriate measures to secure your environment (patch management being one of them) your company can be held legally liable for the breach. In Europe from next year, the new data protection legislation will make it even so that your superiors who are in charge of making policies on how to store this personal information can be personally held liable for this.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
  • Do you mean, ..and it is shown that you did ***not take***..? – MDMoore313 Jun 26 '13 at 18:41
  • 1
    “praying eyes”? you mean, preying eyes. – Giacomo1968 Jun 26 '13 at 18:51
  • 1
    I’d also like to say: Say, someone doesn’t patch their machine in months. There are now hundreds of patches queued up to be applied. An attack happens, the sysadmin goes to patch… And… How exactly will the sysadmin be able to isolate the issue? It’s gambling with safety & security to ignore patches until a problem arrises. This is like anything. An ounce of prevention is better than a pound of cure. – Giacomo1968 Jun 26 '13 at 18:54
  • @JakeGould: yep, you can normally suggest edits :) – Lucas Kauffman Jun 26 '13 at 19:18
  • 1
    Not to be pedantic, but I think you mean "prying eyes". – HTTP500 Jun 26 '13 at 19:22
  • @HTTP500 I think either one is appropriate in this case I'd say... – MDMoore313 Jun 26 '13 at 19:40
2

In my experience zero-day threats will often still find a way through to infect a system if a user is not careful to avoid clicking on banner ads or zip files attached to spam emails etc.

Even with corporate firewalls, patch management and up-to-date antivirus installed- a lot of zero-day malware cuts through all of that like a hot knife through butter. Typically the most at risk are less computer-literate users who are too click-happy.

Nevertheless, patch management does reduce the attack surface to some extent and, as far as legal ramifications are concerned: taking steps to reduce the attack surface will help to protect your career and even you personally from legal liability if you happen to live in Europe.

As far as practical benefits are concerned- I don't actually think you will see a noticeable difference in terms of reduced virus infections if you use patch management. The biggest factors are your users and their browsing habits combined with up-to-date antivirus with (hopefully) a relatively good detection rate.

At a corporate environment I worked at which spent $10K a year on Numara patch management, virus infections on their network of 200 computers were not uncommon (we had 10-20 serious malware infections a year).

At another location which I have been supporting in my free time for 5 years now (just 25 workstations), they have not had a single virus for 3+ years. All I have done was set Windows update to install updates daily automatically, and installed Adblock Plus in all web browsers (IE allows the script to be used in lieu of the add-on). By preventing almost all banner ads (and other ads such as Youtube ads) I have been able to drastically reduce the attack surface used by a lot of today's malware, as well as improve the users' browsing experience. If you can take banner ads out of the equation, you don't give malware that relies on that as a vector to infect systems a fighting chance.

It seems to me as though there is too much focus on patch management (something which, on its own, can rarely be relied upon to stop malware anyway) and systems admins forget there are other highly effective ways to reduce the attack surface which don't cost a dime to implement.

It's all well and good doing something that reduces your chances of being sued, but you also need to remember that it should actually work as well.

Austin ''Danger'' Powers
  • 1,160
  • 6
  • 20
  • 50
1

As you apparently do have automatic updates enabled in your environment, the responses are nearly right. There would not be any gain in security unless the automatic update process is broken or you have packages which do not auto-update, are a potential security risk and would be covered by the patch management solution to be.

"Patch management" is not much of a security solution now that nearly every software package comes with an autoupdate service. It is more about uptime and availability as it supports the relevant QA workflow for your environment (e.g. publish patches to a lab environment first, to a small group of "beta" users second and to everybody at last). If you are not concerned by the prospect of a breakdown due to a bad system, program or virus definition update and do not run software which has no working auto-update process, then a patch management solution is probably not your most urgent need.

Now where you have a security-related problem is the 4/5 of your devices where users do have "full control" over the autoupdate configuration. Not so much because they have the ability to disable automatic updates - if the computers are within a domain or covered by a NAP solution you could enforce re-activation easily. But because it means that the users probably are local administrators - which would massively widen attack surfaces and the possible impact of an attack. You should focus on changing that.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169