To patch or not to patch

February 13, 2008

The security blogsphere has had a number of post recently about vulnerability discovery, and exploitation – the topic of a lot of these discussions is "why bother patching – very few vulnerabilities are exploited anyway".  Ok, full disclosure, I work for a company that sells a vulnerability scanner, and my day job itself is to find vulnerabilities (known or unknown) in client’s networks/software, so you should take what I’m about to say with a large pinch of salt, but I think this is a very dangerous and just a "bad" strategy, and here’s why I think that way.

Secure the back door

As we all know, in security we are only as strong as our weakest link.  If that means we have a nice, strong, secure front door, but leave our back door wide open, it’s going to be the most likely avenue of attack.  Having known, unpatched, vulnerabilities on a system, especially ones which are remotely identifiable and exploitable, equates to having left the back door open.  Tools like Metasploit make taking these known vulnerabilities and using them so much easier.  The issue is I suppose (and the topic of some of the posts) is what is the likelihood of a vulnerability being exploited?

In my grandparents day, it was common to leave your front door open during the day, even if they went out for a short while.  People trusted their neighbors, and everyone looked out for everyone.  Today I wouldn’t dream of leaving my front door open, even if I do live in one of the safest areas of the USA, and the reason isn’t because I don’t appreciate the probability that I would get burgled while I’m out. 

According to FBI crime statistics, there were 657,020 burglaries in 2007, and 113.1 million households (based on 2008 census, which although lists only 2005 figures is still a good figure to use because housing would have gone up, and if anything skewing our probability down).  This leaves us with 0.005 burglaries per household, and therefore a very low probability for it to happen to me.  So no, that’s not the reason I lock my door (and all windows, and the back door), the reason is that if I didn’t, and I did get hit by that remarkably small chance, my insurance company could decide not to pay our for the loss – I didn’t uphold my duty to "reasonably secure the property". 

When it comes to company data, I believe that the same is (or should be) true – if a company undergoes some loss (of business capability, or customer data), they should be able to be sued by their shareholders and/or customers for not providing "reasonable security".  If it’s a known issue, and they don’t provide mitigatations for known vulnerabilities in their systems, then it might be considered they aren’t taking a responsible stance.  For a similar current example, look at the fact that the Yahoo! board are now getting suits fired at them for not accepting the Microsoft offer – in the eyes of the shareholders, the board did not do (in their opinion) what should have been best for the company.

The hoards crowd small group gathering at the gates

One of the factors in the "low probability of exploit" is estimating the number of attackers our there.  Jeremiah Grossman has a number of posts on both the estimating number of attackers, what it would take to "fix" all the vulnerabilities, and applying "the formula" for whether to fix or not to fix.  All great arguments, and the consensus between them is that the numbers are small for the population of hackers out there – strike one for my defense I suppose.  The thing is, I think that it drastically underestimates the population by focusing on professional security staff, or "vulnerability staff" – as I’ve said above, we are focusing on known vulnerabilities; the level of skill required isn’t nearly as high and if one was criminally minded, it wouldn’t be all that much of a stretch to use a VEaaS (Vulnerability Exploit as a Service) model to get low paid, unskilled staff (possibly from countries that have low wages and a "relaxed" attitude at cracking down on Internet crime – like Russia, China, Pakistan, etc) to simply use tools and find+exploit en-mass.  Just as one very simple example, there are 32437 listed users on Zone-h.org, all of which I would guess would be quite capable of taking advantage of a known vulnerability in some fashion.

Do we know what we don’t know?

Another part of my argument here is how do we know that only 3% of known vulnerabilities are actually being exploited – that, to me at least, is a huge "finger in the air guesstimate".  There’s a lot of attacks out there that leave no trace, even when people are looking out for them, which unfortunately is very common.  One client I’ve just finished with had a big list of "security incidents" they were tracking posted up on their wall – great I thought, a good proactive security strategy.  That was until I took a closer look and they were all from the first part of 2006!  When I asked if they had moved it to somewhere else (a different room, electronic document, online, etc), the resounding answer was "no" -  they had stopped "because it was too much effort to track".  This isn’t unusual at all.

So, how do we actually know that only a few vulnerabilities are being exploited?  Short answer for me is that we don’t – a good attacker can (and does) clean after themselves and leaves very little trace, if any.  The ones that remain may not even be noticed and/or reported because there’s the "stigma" involved (and the fall out after the fact).  Using a concrete example, say you don’t recognize a transaction on your debit card statement (of which I have hundreds a month) for something less that, say, $10.  Chances are I, and a lot of other people, would just pass it off – only if it is over a certain amount, or happens regularly enough, would I start getting concerned – it just passes under the radar as "noise".  When it comes to computer security, the same might be said – if an attacker exploited a known vulnerability with no disruption, looks like a "legitimate" user/traffic (or at least not overtly malicious), and takes only a small amount of data, chances are it may go undetected.

How much effort is it to fix anyway?

The final part here is how much effort does it take to fix these known vulnerabilities anyway?  In a lot of the network engagements I work on, there are vulnerabilities we identify that have patches available back to 2005 or earlier in some cases.  Now, there’s certainly some risk to apply patches to a production system in that the patch may cause unknown effects, but in the case of older vulnerabilities, the quality of these patches and the effect on a system are well known.  In general though, the effort it takes to apply a patch is minimal, so once we know it’s "ok" for our systems (after internal QA, or some period of waiting to see how the community react to the patch), I would say that it’s an easy trade off – couple of minutes of patching vs exposure and the other consequences mentioned above.

Bruce Schneier says it in his excellent book Beyond Fear – we often over react to some risks, while down playing others.  I certainly don’t want people over react to patching, but I would hate to see it be down played too much either.

ETA:  Ok, this is strange, another post on DarkReading (where I found the original post), pretty much completely contradicts each other.  The X-Force 2007 report [warning: PDF link] says that "most successful exploits from the past year… weren’t zero-days" (ie. they were known vulnerabilities).  So, which do you believe – known vulnerabilites either are used as exploits, or arn’t being exploited.  Take your pick – I know which side of the patching argument I’d rather be on.

Posted in Security