News and Updates

Last month’s newsletter article, The Cost of Being Unprepared, explained how to calculate the dollar impact of an IT system or data network disaster.  This month, we take a look at one of the potential causes of such a disaster: an intentional or malicious attack that seeks to exploit software vulnerabilities in your IT system.  Software security experts explore these vulnerabilities and will devise a software patch to correct a specific issue.  There are a number of different ways to discover and apply software patches to your system, and the story of a recent software security issue offers a lesson for every IT administrator.

Businesses have become more dependent on IT systems and data networks as functions such as accounting, point-of-sale, e-mail, client scheduling, and service databases, not to mention the electronic storage of vital documents, have been increasingly deployed throughout businesses large and small.  The Small Business Administration, through SCORE, has underscored how integral IT systems have become with research indicating that 70% of small firms that experience a major data loss go out of business within a year.

An IT system or data network disaster can originate from a number of sources.  Equipment can fail or be physically damaged by power issues, fire, flooding, or weather-related events.  Software and customer data can be compromised through the actions of employees or authorized individuals, ranging from accidentally deleting data to a laptop being stolen.   Finally, the intentional and malicious acts of others through activities like “hacking” or “denial of service attacks” can exploit system vulnerabilities and cause irreparable harm to a business.

The active management of software updates and security patches is an important aspect of the IT system vulnerability management plan.  Updates and patches are regularly issued to address vulnerabilities related to both the accidental and malicious acts that can compromise a system.  Certain updates and patches will be of a critical nature, designed to address specific and newly discovered threats, and are issued immediately and as needed. 

An example of a critical patch is described in a Microsoft Security Bulletin that was issued on March 13, 2012 entitled “Vulnerabilities in Remote Desktop Could Allow Remote Code Execution”.  The security update resolved two privately reported vulnerabilities, one of which could allow remote code execution if an attacker sends a sequence of specially crafted remote desktop protocol packets to an affected system.

Normally, a privately reported vulnerability would be researched and a patch developed by a select group of software engineers who agree to keep their work confidential.  They will not even acknowledge the fact that a particular vulnerability exists.  Once the patch has been developed, the security bulletin is issued announcing both the vulnerability and the resolution.

The nature of this particular vulnerability demonstrates the importance of two things: announcing the issue and the resolution at the same time, and immediately applying the patch.   However, in this case, there was an unusual occurrence; the vulnerability was leaked before the bulletin.  Where it was ‘critical’ to apply the patch to this vulnerability, it became even more critical to immediately apply the patch because the issue was leaked.

There are a number of methods to manage the application of patches.  Some systems are on auto-update, with patches applied on a schedule.  Other systems are monitored and actively managed.  The story of this critical vulnerability and the fact that issue was leaked in advance, highlight the need for active management and monitoring.  Actively managed systems had the patch for the ‘remote code execution’ vulnerability pushed out and installed as soon as it was available.  Systems on a schedule may still be vulnerable.

It is important to really understand the nature of the vulnerability and the potential impact to your network configuration.  It is also important to know which patches should be applied immediately.  When a bulletin is issued that refers to a privately-reported-issue, that issue has just been made public; which can mean that time is of the essence to apply the patch and eliminate the vulnerability present in your system. 

Remote management services for your network that supply patch audit functions, making sure all the recommended patches have been applied, and the immediate installation of critical patches as they are issued, are the solution to the vulnerability issue.