Timing the Application of Security Patches for Optimal Uptime Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright† –Wirex Communications, Inc

Timing the Application of Security Patches for Optimal Uptime Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright† –Wirex Communications, Inc

Timing the Application of Security Patches for Optimal Uptime Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright† –WireX Communications, Inc. Adam Shostack –Zero Knowledge Systems, Inc. ABSTRACT Security vulnerabilities are discovered, become publicly known, get exploited by attackers, and patches come out. When should one apply security patches? Patch too soon, and you may suffer from instability induced by bugs in the patches. Patch too late, and you get hacked by attackers exploiting the vulnerability.Weexplore the factors affecting when it is best to apply security patches, providing both mathematical models of the factors affecting when to patch, and collecting empirical data to give the model practical value. Weconclude with a model that we hope will help provide a formal foundation for when the practitioner should apply security updates. Introduction of penetration due to attack and of corruption due to a defective patch, with respect to time, and then solve ``To patch, or not to patch, – that is the question: – for the intersection of these two functions. Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous script kiddies, These costs are functions of more than just time. Or to take up patches against a sea of troubles, We attempt to empirically inform the cost of failure And by opposing, end them?'' [24] due to defective patches with a survey of security advisories. Informing the cost of security penetration `` W h e n to patch?''presents a serious problem to due to failure to patch is considerably more difficult, the security administrator because there are powerful because it depends heavily on many local factors. competing forces that pressure the administrator to While we present a model for penetration costs, it is apply patches as soon as possible and also to delay up to the local administrator to determine this cost. patching the system until there is assurance that the patch is not more likely to cause damage than it pro- Bad Patch Risk poses to prevent. Patch too early,and one might be Penetration Risk applying a broken patch that will actually cripple the Optimal Time to Patch system'sfunctionality.Patch too late, and one is at risk from penetration by an attacker exploiting a hole that is publicly known. Balancing these factors is problematic. Risk of The pressure to immediately patch grows with Loss time after the patch is released, as more and more script kiddies acquire scanning and attack scripts to facilitate massive attacks [4]. Conversely,the pressure to be cautious and delay patching decreases with time, as more and more users across the Internet apply the patch, providing either evidence that the patch is Time defective, or (through lack of evidence to the contrary) Figure1:Ahypothetical graph of risks of loss from that the patch is likely okay to apply.Since these penetration and from application of a bad patch. trends go in opposite directions, it should be possible The optimal time to apply a patch is where the to choose a time to patch that is optimal with respect to risk lines cross. the risk of compromising system availability.Figure 1 conceptually illustrates this effect; where the lines cross In particular,many security administrators feel is the optimal time to patch, because it minimizes the that it is imperative to patch vulnerable systems imme- total risk of loss. diately.This is just an end-point in our model, repre- senting those sites that have very high risk of penetra- This paper presents a proposed model for finding tion and have ample resources to do local patch testing the appropriate time to apply security patches. Our in aid of immediate deployment. Our intent in this approach is to model the cost (risk and consequences) study is to provide guidelines to those who do not †This work supported by DARPAContract F30602-01-C- have sufficient resources to immediately test and patch 0172. everything, and must choose where to allocate scarce 2002 LISA XVI – November 3-8, 2002 – Philadelphia, PA101 Timing the Application of Security Patches for Optimal Uptime Beattie, et al. security resources. Wehave used the empirical data to Most system administrators understand that these arrive at concrete recommendations for when patches risks are present, either from personal experience or should be applied, with respect to the apparent com- from contact with colleagues. However,weknow of no mon cases in our sample data. objective assessment of how serious or prevalent these It should also be noted that we are not considering flaws are. Without such an assessment it is hard to the issue of when to disable a service due to a vulnera- judge when (or even if) to apply a patch. Systems bility.Our model considers only the question of when administrators have thus had a tendency to delay the to patch services that the site must continue to offer.In application of patches because the costs of applying our view,ifone can afford to disable a service when patches are obvious, well known, and have been hard to there is a security update available, then one probably balance against the cost of not applying patches. Other should not be running that service at all, or should be sources of delay in the application of patches can be running it in a context where intrusion is not critical. rigorous testing and roll-out procedures and regulations by organizations such as the US Food and Drug Lastly,wedonot believe that this work is the Administration that require known configurations of final say in the matter,but rather continues to open a systems when certified for certain medical purposes [1]. new area for exploration, following on Browne, et al. [4]. As long as frequent patching consume a signifi- Some organizations have strong processes for cant fraction of security resources, resource allocation triaging, testing, and rolling-out patches. Others have decisions will have to be made concerning how to deal mandatory policies for patching immediately on the with these patches. release of a patch. Those processes are very useful to them, and less obviously,toothers, when they report The rest of this paper is structured as follows. The bugs in patches. The suggestions that we make regard- next section presents motivations for the models we use ing delay should not be taken as a recommendation to to describe the factors that make patching urgent and abandon those practices.1 that motivate caution. Then, the next section formally The practical delay is difficult to measure, but its models these factors in mathematical terms and pre- existence can be inferred from the success of worms sents equations that express the optimal time to apply such as Code Red. This is illustrative of the issue cre- patches. The subsequent section presents methods and ated by delayed patching, which is that systems remain issues for acquiring data to model patch failure rates. vulnerable to attack. Systems which remain vulnerable The paper then presents the empirical data we have col- run a substantial risk of attacks against them succeed- lected from the Common Vulnerabilities and Exposures ing. One research project found that systems containing (CVE) database and describes work related to this months-old known vulnerabilities with available but study.The paper ends with discussions the implications unapplied patches exposed to the Internet have a ``life of this study for future work and our conclusions. expectancy''measured in days [14]. Once a break-in Problem: When ToPatch has occurred, it will need to be cleaned up. The cost of such clean-up can be enormous. The value of applying patches for known secu- Having demonstrated that all costs relating to rity issues is obvious. A security issue that will shortly patch application can be examined in the ``currency'' be exploited by thousands of script-kiddies requires of system administrator time, we proceed to examine immediate attention, and security experts have long the relationship more precisely. recommended patching all security problems. How- ever,applying patches is not free: it takes time and Solution: Optimize the Time to Patch carries a set of risks. Those risks include that the patch will not have been properly tested, leading to loss of To determine the appropriate time to patch, we stability; that the patch will have unexpected interac- need to develop a mathematical model of the potential tion with local configurations, leading to loss of func- costs involved in patching and not patching at a given tionality; that the patch will not fix the security prob- time. In this section we will develop cost functions lem at hand, wasting the system administrator's time. that systems administrators can use to help determine Issues of loss of stability and unexpected interaction an appropriate course of action. have a direct and measurable cost in terms of time First, we define some terms that we will need to spent to address them. Todate, those issues have not take into account: been a focus of security research. There is a related • epatch is the expense of fixing the problem issue: finding a list of patches is a slow and labor- (applying the patch), which is either an oppor- intensive process [7]. While this makes timely appli- tunity cost, or the cost of additional staff. cation of patches less likely because of the investment • ep.recover is the expense of recovering from a of time in finding them, it does not directly interact failed patch, including opportunity cost of work with the risk that applying the patch will break things. 1As a perhaps amusing aside, if everyone were to follow However,the ease of finding and applying patches has our suggested delay practice, it would become much less ef- begun to get substantial public attention [20] and is fective.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us