Pub. 7 2018 Issue 3

13 F a l l | 2018 security . Instead, a critical update is an “update which fixes specific, non- security related, critical bug. That bug can cause, for example, serious perfor- mance degradation, interoperability malfunction or disturb application compatibility.” Microsoft and WSUS have different definitions and settings for security updates, ranging from critical to un- specified. A critical update addresses a “vulnerability whose exploitation could allow the propagation of an internet worm without user action, and possibly without user interaction” and should be installed as soon as possible. However, the next security update level is defined as important, which addresses “a vulnerability whose exploitation could result in compromise of the confiden - tiality, integrity, or availability of user data, or of the integrity or availability of processing resources…including common use scenarios where the cli- ent is compromised with warnings or prompts” and should be installed at the earliest opportunity. Linux and Unix operating systems must also be updated to address vulnerabilities and this process will vary depending on distribution used. For third-party products, such as Java, Adobe, and VMware, the patch- ing process is more complicated as one must rely on third-party patching software, user interaction, notifications of updates, or a combination of all three. Regardless of the patch process used, the patch window must also be defined. When dealing with Java or Adobe, it is typically recommended to install as soon as available if at all possible due to the vulnerabilities addressed in each update. For Windows or Office products, a window of 30 days or so is normal. However, issues can arise regardless of patch provider and a cautious admin would test major updates before rolling out to all production systems. Application of updates is another item for careful consideration. For many patches, a simple process of installation and maybe a reboot will suffice. For oth - ers, especially some Microsoft patches, an additional step needs to occur before the installed patch is effective. For example, the initial patch to address the SPECTRE/MELTDOWN vulnerabilities required a registry setting change for KB4056898. This requirement was later addressed in another KB a few months later, but in the meantime any systems that did not have the correct registry setting could not be fully patched and therefore the vulnerability remained. In short, it is important to review the associated documentation for any major patch to ensure they will be properly applied. Finally, regardless of provider, patch process, or patch window, and any and all updates should be verified as having been successfully applied. There is an often spoken rule of “trust but verify” and that especially applies for patch management. Verification can be performed in a number of ways, ranging from spot checks to internal vulnerabil- ity scanning using a number of available tools such as Nessus or GFI LanGuard. Before deciding on a tool, however, some tests should be performed to ensure the information that is obtained is accurate and applicable to the issues at hand. In summary, while it cannot be guar- anteed that one will not be singing “NeverEnding Paaaaaattccheeeeees!” while performing security updates on a myriad of systems, perhaps the steps outlined above can lead to not only a more secure network but a more man- ageable one as well. Daniel Lindley is a Security and Compliance Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: infor - mation security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, used by over 1400 financial institutions to help manage their information security programs, cybersecurity, and more. Visit our website at www.conetrix.com . 1 https://blogs.technet.microsoft.com/dubaisec/2016/01/28/ windows-update-categories/ 2 https://support.microsoft.com/en-us/help/4056898/ windows-81-update-kb4056898 B A N K B Y T E S KRIS MONTIONE Advertising Sales 727.475.9827 or 855.747.4003 kris@thenewslinkgroup.com WORDS. Auctioneers & Appraisers delivering successful results to Virginia Banking institutions since 1963 www.countsauction.com