The experience shows that consumers whether they are ordinary people using their computers for everyday tasks or even experienced network administrators never tend to be very open to security updates. Talking to so many network admins about security updates especially Service Packs (They do not necessarily include only security updates) of operating systems especially Windows Server, they mostly didn’t show much interest for installing some specific updates and service packs for some reasons:
- They thought of some of the security updates as unnecessary
- Some of them believed it is too risky to install some of the updates due to a fear of possible service crackdown. Some also believe some hotfixes and security patches are not compatible with some other services and could possibly create problems
- They mostly considered service packs as unnecessary update packages with this reasoning that they have already installed those needed hotfixes and the rest included in the service packs are unnecessary
In my own experience I’ve always seen people hit by a pretty famous worm on the Internet like Sasser and even after that they were always looking for some virus removal tool to get them out of the trouble and not a security patch unaware of the fact that an anti-virus software can not stop a worm from functioning.
So you can see that security people at Microsoft are on a very difficult road to educate all those users and admins and kind of convince them that patching a system is the best thing to do for every user to stay safe on the Internet. But here it comes another concept called Security from the Inception which says instead of going through all these difficulties of educating the users which seem pretty impossible at times, a much better approach is to try to secure the code of the products by applying SDL (Security Development Lifecycle) from the beginning of the development of a product. That is how we can reduce the impact of security vulnerabilities missed during the software development process.
Right now Microsoft is on the right track in developing more secure code by only applying SDL as we can see less security vulnerabilities in its products.
If you have some years of experience in the field of information security, you must have seen a couple of famous Internet worms hitting your network causing damage to your environment. Many network or security administrators remember to patch their network only when they are hit by attackers or worms and honestly speaking that is terrible for a security guy…
Microsoft Security Bulletin Advanced Notification released every month is intended for security people to plan 3 days ahead before Microsoft security updates are released. Microsoft Security Bulletin Advanced Notification includes information about:
- The number of new security updates
- The softwares affected
- The severity levels of vulnerabilities
- Information about any detection tools relevant to the updates
Now the question is, what can a security admin do with all this information?
Before I answer this question, let me take you through the process of how a worm or an exploit is created
. There are websites like Security Focus
and so many more that publish security advisories about the most recent security vulnerabilities in different softwares. Since Microsoft is a big company with so many softwares, some of these vulnerabilities with different severity levels are found on Microsoft softwares and operating systems.
So what hackers do is check these websites everyday and find those critical security bugs and write exploits or worms for them. Microsoft security response center releases security updates for all those vulnerabilities once every month (The second Tuesday of the month) and we can say that hackers kind of stay ahead and write the exploits and worms and let them out to the Internet before the updates are out. Since the process of writing worms is not very short and it takes even weeks to write a pretty advanced one, there are usually some days left for a security admin to take an action.
What could be the action?
- Check the Microsoft Security Bulletin Advanced Notification 3 days before the updates are out.
- Check to see if you have any of those affected operating systems and softwares available in your network environment.
- Check to see if any of them is placed in a critical part of your network like the network edge.
- If they are and the security risk is critical (High) and the vulnerability is a Denial of Service vulnerability, then you could place a firewall in front of the affected server against the Internet. If you have a virtual edge and DMZ, then this process will be done more easily since it is more dynamic. (Check out this blog post of mine)
- If the vulnerability is critical but it is a buffer overflow or any other kind of vulnerability, then you would need to go deeper to see what port on the server or what service on the server causes this security problem and then easily filter the port or disable the service if it does not make any network disruption.
- keep an eye on the log files of the affected servers and services and enable alerting so that you could be aware of any attacks.
You should take these advice seriously if you want to stay safe against any possible attacks. Remember that prevention is always better than cure.