Unpatched vulnerabilities are one of the major entry points for cyberattacks. With an increasing number of attacks on infrastructure, IT teams are struggling to keep up with the swarm of new problems discovered. Therefore, patch management should be an important focus for IT and security teams in the competition to stay ahead of attackers.
Linux is responsible for most of the public cloud infrastructure. According to the 2017 Linux Kernel Development Report by the Linux Foundation, it is about 90%. It also supports 82% of the world’s smartphones and 9 of the top 10 public clouds. Linux also has a high reputation for security, especially when compared to other operating systems.
However, recent serious Linux-related vulnerabilities indicate that Linux needs to be managed as tightly as any other set of IT assets.
About the author
Shailesh Athalye is Qualys’ SVP of Product Management.
How can you better protect your infrastructure over the long term? Are you overconfident in Linux and security? And how can you manage the patching process more efficiently?
Understand the patch management process
The software is complex. Problems such as design flaws and programming errors occur naturally, and these flaws can lead to security issues. The key is to discover these vulnerabilities before they can be exploited and address them quickly.
Proprietary software companies have full control over the update process. The most recognizable approach is the industry-wide monthly patch Tuesday release by Microsoft, Adobe, and others.
These releases highlight vulnerabilities, assign severity levels, and help IT teams prioritize patching issues based on priority and risk level. This approach allows IT and security teams to plan patching.
For Linux, the process is very different. Since Linux is open source, issues are discovered by community members and updates are published at any time. The process is tuned to allow everyone affected (from the largest open source distributions run by global vendors to smaller versions run by community teams) to add updates to their versions.
Companies like Red Hat and SUSE run mailing lists that alert the community in real time to patches related to known vulnerabilities, rather than being limited to monthly rhythms. This process helps maintain the core open source principles of open source, transparency and traceability for all.
The importance of Linux
It’s important not to be content with Linux and security. First, the huge number of Linux-based distributions and variants means that one problem can result in multiple sets of patches that need to be deployed, one for each distribution or asset you use. It means that you have sex.
This can be very complicated to catch up with. As a result, it’s easy to see how your team can lag, especially if you assume that Linux is safer.
Undoubtedly, the great features of Linux (the fact that it is open source) are also the biggest challenge.
As vulnerabilities become publicly known, they can be investigated by anyone and often proof-of-concept code is written to demonstrate the problem. This helps those in charge of the Linux community and provides insight into the problem, but this data can also be used to find other ways to exploit the original vulnerability.
If the organization running Linux is not up to date on patch management, it could be easier for an attacker to attempt an exploit based on these exploit examples.
Linux patching process challenges
To effectively manage Linux patching, there are three factors that need to work together.
The first process to do it right is to build an accurate IT asset inventory that can track your hardware, operating system, software, and other services. This provides a complete list of what is being done and the current status of the asset.
After checking this, you can see which vulnerabilities exist and which patches need to be installed. With so many new issues discovered, it may not be possible to patch them all immediately.
Instead, you can prioritize the issues that are most urgent to implement because they are the most risky, the most widespread, or the most dangerous. This depends on your company, what is being done, and the company’s desire for risk.
One of the challenges in gathering the data needed to efficiently discover assets, scan for vulnerabilities, and prioritize and fix them may require multiple tools that do not communicate with each other. Is to have.
Some may argue that the more tools you have, the better. Many security professionals were once taught to follow the approach that quantity is equal to quality. Safety blankets of multiple asset tools that overlap each other may sound reassuring to keep track of vulnerabilities and defense gaps, but in reality, IT and security teams over time. It is a bigger obstacle to management.
In fact, every tool you employ has its own overhead and its own way of classifying data. When comparing data between tools and teams, it is difficult to get accurate information in real time.
Teams can also double their work because they have to manually correlate the data before they can tackle the patching issues that the tool finds. The workload facing IT teams is increasing, so eliminating duplication and automating processes can help you achieve immediate results.
For example, organizations that use different tools to detect assets, perform vulnerability management scans, prioritize, and patch will initially allow all different products to “agree” on how to identify devices. Face challenges. Without this “agreement”, the report cannot be generated and the repair job cannot be started.
To complicate matters, organizations that use multiple tools to perform these tasks typically take time to allow patch teams to deploy patches based on high-priority vulnerabilities. You need to run the process.
This typically involves sending a report to the patch team with a list of prioritized vulnerabilities. The patch team should investigate each vulnerability, understand the available patches, and evaluate the patches that need to be deployed because they are environment-related.
This process can be time consuming and requires a lot of effort from each team. Long and complex patch management processes like these can also be prioritized first when other, seemingly “more urgent” tasks occur.
This poses a risk to organizations that could be unknowingly exposed to attack because the vulnerabilities remain unpatched more than necessary.
Unity contains the key to success
The community is aware that this is a flawed process. As a result, more tools have become available to minimize some steps in this process, but most are still inadequate and require manual intervention along the way.
Instead, prioritize if your organization can leverage a single solution to scan for vulnerabilities. And Fixing them in one console dramatically streamlines the process and makes patch management easier for your organization.
This eliminates the need for manual investigation and reporting of individual vulnerabilities and patches associated with individual systems. Patches can be deployed from a single button that documents the process and provides the latest reports of fixed vulnerabilities to close the loop.
Ultimately, the team needs to create an efficient and effective workflow that runs on as many operating systems as possible, with both a proactive and reactive patching approaches.
Rather than having separate tools for Windows and Linux, and internal cloud assets, you can increase efficiency by consolidating all your asset data in one place. This provides a comprehensive overview of what you own and what you prioritize, regardless of where the asset is hosted.
Due to the ever-changing threat landscape, it is not enough to schedule monthly or weekly scans from multiple agents. Enterprises should strive for continuous automated scanning so that they can detect and fix problems in real time.
This ensures that IT and security teams are always up to date. It also means that the repair approach can be automated.
Why Linux’s greatest strengths are also its greatest weaknesses
Source link Why Linux’s greatest strengths are also its greatest weaknesses