Patch Band-aidment

IT has come up with all kinds of ways to protect assets without applying patches. Yes, patching takes time if done correctly. However, the solutions have issues that need to be kept in mind.

1) Don’t patch, as everyone knows patching is risky and can kill an application/server.

This tends to be the excuse of businesses that don’t have a test system for that absolutely critical application/server. Which is riskier, not having a test system or not patching a critical system? Not having a test system to test patches or changes is a bigger problem than not patching–it means that non-patch fixes are applied in production and without testing.

So what do you do if you HAVE a test system and you found that the patch does break things? Try one of the other options (however, I’ve found many admins and DBAs hide behind patch FUD and don’t go any further–it’s just an excuse).

2) Put an application firewall in front of it.

That’s like putting a good fence around your house and leaving your windows open. The fence had better be really, really good. The other issue is that you haven’t put the security (patch) as close to the data (application/server) as possible.

Also, an application firewall can’t block everything, only known threats or classes of threats (behaviors) that have already been identified. (I like to say that loosely speaking, firewalls are kind of like auditors–they block (audit) the same as they did last year until you tell them something different.)

Finally, application firewalls can be hard to configure and tune. Sometimes patching is faster :)

3) Disable the service or application code with the problem so it cannot be compromised.

That works until some other admin who’s not aware of the “fix” turns it back on. Or as I discovered during an audit last year, another application/script/etc. that is run on the box to do an upgrade turns it back on, and the admin doesn’t turn it back off.

Conclusion

I’m not saying that application firewalls or disabling services aren’t helpful–they are–I’m just saying that the risk of the “fix” needs to be fully understood and accepted, but only after a careful analysis has revealed that patching is NOT the best solution, or the most cost-effective solution NOW.

Too often the dangers of the alternative safeguards are not researched and monitored to ensure the “fences” stay in place. Also, the alternatives are sometimes meant to be temporary and end up being permanent.

Until the alarm sounds.

Advertisements

Leave a comment

Filed under Security

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s