In the last three months the three most-reported international security incidents have been always attached to a lack of security patching. Equifax is claiming an unpatched Apache Struts security vulnerability aided hackers. The Equifax incident site states, “The attack vector used in this incident occurred through a Vulnerability in Apache Struts (CVE-2017-5638) …,” while others are pointing to a variety of other Equifax security weaknesses including use of admin:admin on web facing systems and also storing framework keys in a web facing system. Let’s only concentrate on security patching.
This week and by next Tuesday over 200 security patches will be released by Microsoft, Apple, Adobe, VMWare, and Ubuntu. The first three have cross-pollinating products with patches released this week (Office for Mac, iTunes for Windows, Reader for everything), then there are those omni-platform Google Chrome surreptitious ones. The steps even with a patch management product require constant oversight and monitoring. When have you last worked your OU’s WSUS Update Status Summary report? The first week of a month before “Patch Tuesday” is a good time to review for devices that are detected as needing many missing old patches. Patching is a process and not a prayer. Use Microsoft Baseline Software Analyzer on devices that have consistent issues and it might tell you clearly what is missing. The SANS organization has said they never do a customer consulting review and not find missing critical Microsoft patches. Never!
Following a schedule of patching work can aid small shops in their work each month like:
- First week – audit non-domain systems patch status
- Second and Third weeks – software vendor new monthly patching
- Fourth week -audit domain joined systems patch status
- Fifth week (that some months have) – catch your breath.
For your third party patch management product the steps always should be DEPLOY, VALIDATE, REPORT, MONTHLY PATCH AUDIT. Third party products normally have good reporting summaries and if you can report by domain-joined and non-domain joined then all the better to segment validation during the month. But the key is taking the reporting and prioritizing to resolve the critical missing third party software security updates first.
Two final items:
- Ubuntu tcpdump vulnerability update can be found at https://usn.ubuntu.com/usn/usn-3415-1/
- Apache Struts developers who had released a security patch for the Equifax-cited CVE on March 7, 2017 published sound advice this week for any security patching approach:
Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:
1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
3. Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.
Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.
For the Apache Struts Project Management Committee,
Vice President, Apache Struts
Patch on AgriLife!