Patch Management: An Effective Line of Defense for UNIX and Linux 

 
Download Article

UNIX/Linux Security Vulnerabilities Rising

Earlier this year, confidential vulnerability information managed by the CERT Coordination Center at Carnegie Mellon University, Pennsylvania, USA, was leaked to the public. Moreover, the leak happened to be a flaw in portable document format (PDF) readers for UNIX that could allow a remote attacker to trick users into executing malicious code on their machines, according to a copy of the leaked vulnerability report. And, while seemingly a lower profile issue than the Microsoft Windows operating system, there is a documented increase in UNIX and Linux security breaches.

According to a new report by London-based security research firm mi2g, cyberattacks worldwide hit record levels in May 2003, with more than three-quarters of successful breaches made against Linux-based systems. A record 2,576 attacks were recorded on 4 May, and 23,009 were recorded for the month of May. Members of the web site Zone-H.org, which tracks digital attacks and current security technology news, confirmed that the analysis indicates Linux attacks have widened, while Windows breaches have waned since January 2003. Mi2g attributes the upswing in Linux attacks to misconfigured systems and to a lack of standard security practices for online server management within the open source community. The security firm also blames Linux's growing popularity, which makes these systems bigger hacker targets.

UNIX/Linux-based software vulnerabilities are among those currently listed as the top 20 most critical vulnerabilities by the SANS Institute and the US Federal Bureau of Investigation (www.sans.org/top20/). The list's UNIX category includes the Simple Network Management Protocol and Sendmail vulnerabilities. These vulnerabilities are considered by many to be the two most important vulnerabilities to research, test and quickly patch to prevent hostile attacks, reduce the onslaught of spam, and keep organizational network systems up and running 365/24/7.

Figure 1

In 1998, the IT industry and financial vertical markets saw the first widespread example of a successful Linux threat—the Linux.ADM.Worm. In addition to its worm-like characteristics, it also exploited a widely known vulnerability, causing the compromise of a large number of corporate and public sector systems. In September 2002, the Linux.Slapper worm emerged and caused significant disruption. Along with Slapper, a number of highly sophisticated Linux (and UNIX) viruses have emerged in recent months. These threats have demonstrated that malicious code writers are developing a high level of sophistication—of a more professional nature—in programming, and possess an increased familiarity with the Linux operating system and its applications. With the META Group projecting Linux (UNIX) penetration at as much as 45 percent of the market for new servers by 2006/2007, the Security Supersite (http://security.ziffdavis.com) plans to carefully watch the threat landscape for this OS environment over the next few years.

As UNIX and Linux Become Mainstream,
Patch Management Takes the Stage

Over the past decade, there has been a surge of public and private organizations adopting the proprietary UNIX operating system as well as Linux to reduce network and data center costs. Additionally, most will agree that the UNIX- and Linux-based systems have directly improved stability and security following the terrorist attacks that occurred in the US on 11 September 2001 and a subsequent increase in cyberterrorism. For example, energy conglomerate Conoco Inc. announced in August 2000 that it built and deployed a Linux-based supercomputer to analyze extensive seismic data. Four years ago, Burlington Coat Factory Warehouse Inc. became one of the largest companies to commit to a rollout of more than 1,000 Linux PCs and servers. And, when the extension of the Bay Area Rapid Transit (BART) to the San Francisco International Airport required an upgrade to the Electrification Display Systems of the Operations Control Center, Linux was again chosen for its open source flexibility, stability and lower implementation costs.

Some in the UNIX/Linux camp suggest that the almost synonymous proprietary and open source operating systems are currently very stable in nature and that a formal patch management program need not be a mandatory element for organizations developing cybersecurity plans—a corporate component that is fast becoming common practice. However, given the surmounting security vulnerability evidence noted on the SANS (www.sans.org) and CERT (www.cert.org) web sites, as well as input from organizations (public and private) using heterogeneous networks, it is clear that those tasked with managing UNIX/Linux (as well as Windows) operating systems should absolutely develop and implement automatic patch management as a key element of their vulnerability remediation procedures.

In META Group Research Analyst Kai Sander's recent report, "Easing Patch Management Pain Through Process and Automation Service Management Strategies, Operations Strategies," the message is clear: improved patch management will decrease end-user downtime and minimize risk to business-critical systems.

An open source problem that resonates across the Linux space is the fact that everyone has accessibility to the source code. While this unique attribute is what makes the operating system so appealing and cost-effective to many, it can also be at the core of what makes the OS so much easier for hackers (or "crackers" as coined by the Linux and UNIX camps) to exploit than with traditional vendor software offerings. Rather than looking at the side effects of commercial software to deduce the vulnerabilities, hackers (or crackers) can directly see the Linux source code and figure them out. This means that "cracking" open source code can, in fact, be faster and more pervasive. However, in defense of the Linux OS, the developers who so passionately stand by open source ease of use are also extremely quick in fixing and releasing patches for those vulnerabilities. For more information on open source vulnerability remediation, go to www.opensource.org.

As Linus Torvald, the father and keeper of Linux, openly purports, "The Linux OS is truly an open book in terms of when and what patches have been applied." While his claim is true for the open source flavor of UNIX, it is always recommended that the security information technology officer—who the majority of time deals with heterogeneous networks—embrace best practice processes including the implementation of automated patch management around their UNIX/Linux systems.

Get It Right the First Time Round:
Best Practice Patch Management

At the US Department of Agriculture (USDA), integrating cross-platform, patch management technology was a cybersecurity necessity, explains John Gambriel, manager of architecture and special projects, cybersecurity, at the USDA Office of Chief Information Officer. "UNIX/Linux patching is every bit as important to USDA as [patching] Microsoft Windows. Since these [UNIX/Linux] operating systems typically have a more modular, complex design, patching becomes even more difficult and time-consuming without the support of patch management guidelines and software."

Another major benefit to the USDA of developing best practice patch management guidelines and using an intuitive patch management program is the configuration and inventory management capabilities. Gambriel further describes his department's everyday IT security challenges. "In a distributed, heterogeneous environment like the USDA, obtaining and maintaining a baseline for hardware and software is next to impossible. This issue, combined with declining budgets and depleted core competencies, makes it impossible to enforce policies at the desktop level. Cross-platform, automatic patch management software can enable this type of management control without the need for additional personnel, if implemented properly."

One UNIX/Linux-based vulnerability dealt with by the USDA in recent months is Sendmail, the program that sends, receives and forwards most electronic mail processed on UNIX and Linux computers. While most of the Sendmail exploits are successful only against older versions of the software, there remain many outdated or misconfigured versions still in use today, making Sendmail one of the most frequently attacked services.

The Patch Management Process

With vulnerabilities penetrating private and public sector networks on a daily basis, understanding higher level cyberterrorism defense strategies is the first step in making sure an organization's network is protected. Some of the most important strategies to consider prior to formalizing a patch management program include:

  • Research and develop an IT security plan that mitigates external and internal computer threats.
  • Implement three key policies as a part of the overall IT security program:
    • Understand who should/can access what software and system information.
    • Put the necessary control in place to enforce the security policies.
    • Develop a formal disaster recovery program and utilize
    • offsite backup storage.
  • Close all ports that are not necessary; when software is installed, fine-tune defaults for every system environment.
  • Use cost-benefit analyses to determine the optimal level of protection when implementing IT security solutions including:
    • Asset management
    • Vulnerability assessment
    • Threat intelligence
    • Correlation and prioritization
    • Vulnerability remediation (automated patch management)
    • Isolation
    • Reporting and management

Once IT defense strategies are in place, IT administrators are in a position to actively relieve patch management pain. The following list reviews enterprise patch management processes:

  • Research—Investigate, assess the impact, review application dependencies, identify targets, and assess hardware and software requirements.
  • Plan—Schedule (including resources and personnel) and develop scripts.
  • Test—Develop a test plan; configure, install, test and validate; and verify requirements.
  • Pilot—Repeat: x times-login, copy, install, reboot, verify and test.
  • Rollout—Repeat: y times—login, copy, install, reboot, verify, test and support.
  • Monitor—Enforce/validate subscriptions, vendors (including newsgroups), web searches (including vendor associations, CERT/NIST, SANS, etc.) and preliminary assessment.

Increase UNIX/Linux Security
Through Effective Patch Management

As the demand for cross-platform security applications for UNIX, Linux, NetWare and Windows operating systems grows over the next decade, it will be essential for security consultants and vendors to listen carefully to the requests and concerns of customers, third-party partners and beta evaluators.

In the past six months, the new US Department of Homeland Security and the most recent departmental offshoot, the US Division of National Cyber Security, authored and distributed for public comment the Strategy for Securing Cyber Space (www.whitehouse.gov/pcipb). As one of the five critical elements of this strategy, the need for companies and public organizations to implement a concise vulnerability remediation program is underscored.

Noting the importance of implementing a patch management process regardless of platform, Kai Sander has said, "It is absolutely critical for IT security professionals to approach patch management from a technology-agnostic perspective—the OS platform should not deter from patching. Ensuring that critical network servers are regularly patched and instituting a formalized patch management process using the latest in automated patch management technology is very forward-thinking and smart. While most will follow a stepping-stone approach—first applying the patch management process to core servers (e.g., Microsoft), then to other OS servers, and finally to endpoints like desktops and laptops—those organizations that consider themselves technology and security leaders will implement patch management across all network environments, including UNIX and Linux."

References

META Group, Kai Sander, research analyst

Sander, Kai; "Easing Patch Management Pain Through Process and Automation Service Management Strategies, Operations Strategies," META Group, 2 May 2003

"Linux Creator Opens Up in Interview," Salt Lake Tribune, Business Section, 17 July 2003

SANS Critical Vulnerability Analysis, SANS Institute, 2003, www.sans.org

SANS Institute, www.sans.org

CERT Coordination Center, Carnegie Mellon University, Pennsylvania, USA, cert.org

Salkever, Alex; "Does Linux Have a Dark Secret?," Business Week online, June 2003

Clyde, Robert; "Exposing the Future of Internet Security," Security Supersite, April 2003, www.security.ziffdavis.com

King, Julie; "Update: Conoco Deploys Linux-based Supercomputer for Use in Oil Exploration," Computerworld, August 2000

Orenstein, David; "Burlington Coat Factory Finds That Linux Runs Smoothly, Despite Lack of Support," Computerworld, August 1999

Integrated Computer Solutions Inc., www.ics.com/bart

Open Source Initiative, www.opensource.org

Chris Andrew
joined PatchLink® Corp. (www.patchlink.com) as vice president of product management in January 2000, and is currently responsible for the development of the company's cross-platform, patch management technology and services. Andrew was previously with Novell Inc., where he was the engineering manager responsible for web and news server development on NetWare 5.1, and formerly the manager of the RAD and scripting development team. While at Novell, he coauthored the Novell NDS Programmers Guide (IDG Books). Andrew is also noted as one of five founding engineers of Coresoft Technologies, was one of the original three engineers on the Workplace Shell project for IBM OS/2 2.0, and began his IT career developing IBM's OS/2 Presentation Manager with IBM's UK division.