Last Day to Save $250 on SANS Chicago 2014

Intrusion Detection FAQ: Do I "really" need to install patches to my system? I don't run the services/products that patches were issued for.

You should install *ANY AND ALL* patches that apply to your system hardware and software, whether or not they are security related. If a program that has a patch resides on your system, APPLY THE PATCH. To repeat, if a program that has a patch resides on your system, APPLY THE PATCH. Turning off services that are not used or needed can help reduce the entry points. However you can bet your sweet patootie that if your machine is compromised, any and all known exploits for that Operating System will be tried. Non-security patches don't have to be applied immediately, but they should be applied in the relatively near future. It should go without saying that security patches should be applied as soon as you get your grubby little hands on them. In recent attacks this year, we have seen extremely similar MO's and footprints. The same exploits were used repeatedly. Some of the machines that were compromised had the services in question turned off but not patched. Some of the machines had the recent patches for the services in question but were missing other important patches, therefore allowing the perpetrators to gain access to at least try the exploits. Other machines were just wide open.

Not keeping your machine up-to-date with the most recent patches available can compromise the security of your whole infrastructure. Your infrastructure is only as secure as it's weakest link.

Most vendors allow retrieval of patches over the web. CERT and CIAC also have information about security patches, including links to vendor patches when applicable.

But my vendor releases way too many patches for me to keep up with!

Then you need to be putting together a proposal for your higher powers to justify hiring another person to do patches (and maybe some other security-related things you need to do). Vendors release patches for reasons other than making our lives miserable. What good is it to run any sort of intrusion detection software if your machines aren't patched, anyway? (Honeypots not included here.)

The powers-that-be won't let me take my machines down for the amount of time it will take to patch them. What can I do about this?

You need to convince them that an ounce of prevention is worth it. Do you have some sort of maintenance window built-in? Apply the patches during that window. Not the most optimum, but it'll work. SANS Network Security Roadmap Poster has some good advice for integrating security. Their Intrusion Detection FAQ has a question about justifying IDS. Combine those items and apply them as necessary to your site and machines. Weigh the cost of taking the machine down for an hour early one morning to install patches to the cost of having to recover from a compromise. Present these in a professional manner to your higher powers. If you have the authority, set up a "live-test" of a compromise and recovery.

Not all patches require downtime or reboots. It depends on the nature of the patch. Most times patches can be installed with no inconvenience to your users.

In today's world, word of exploits travels much faster than word (or admittance) of patches ever will. It behooves all of us concerned about security to keep our machines as up-to-date as possible. It's the only way we can try to stay a step ahead.

What if the patch breaks my system?

Well, hopefully you made backups before installing any patches. This is a must if you are installing any type of kernel patches. It's an extreme case when installing patches trashes things so much that you have to restore from backups, but it's worth it to take the extra time to ensure you can recover. Besides, you should have a very regular and robust backup program in place already in case of hardware failure or recovering from a compromise.

Most vendors allow for backing out their patches. With Solaris you can use the patchrm program. With Tru64 you would run their dupatch program and choose the delete option. In order for these to work, however, the patches need to be installed properly to allow backing out. By default Solaris backs up the files to be patched -- patchrm -d will not save the files. You can specify a different directory rather than the default /var/sadm by invoking patchrm -B PATHNAME where PATHNAME is an absolute path name. Tru64 asks during the patch installation if patches should be made reversible and gives you the option to change where they are kept. If at all possible, install patches in such a way that they can be backed out.

There are some instances where a new patch will not be installed properly unless the old patch is backed out. I cannot repeat often enough that it is a very good idea to install your patches in such a way that you are able to back them out if needed, and you should back up your system before installing patches.
-----------------
Laurie Zirkle