Thinking security: Do we only patch on Tuesdays?
Author(s): Michael Kain, Posted on July 7th, 2017
The recent WannaCry ransomware attack caused most security administrators to focus on their policies on when they patch their systems. But it really came down to how they think security. Each decision that a security administrator makes is about the security of the system and the environment. But we make those same decisions as part of our normal life – what is the risk with taking an action or not?
Let’s make an analogy – do we always lock our car? It’s a “best practice” to do so at all times – when we’re at the store, when we’re out to dinner, when we’re in our own garage. There may be times in which we don’t (when we’re in our garage and it’s locked). We make this decision when we survey the environment where we are and evaluate the perceived risk. We think security and then we make the decision to lock our car or not.
Taking vaccines provides another analogy about thinking in tradeoffs. There has been much debate over the years about which is better: taking or not taking vaccines. Some claim that there are too many and there are side effects which may outweigh the benefits. In thinking of it, it’s a risk decision between the probability of not getting the disease and getting the disease and the possible outcomes. For something as serious as a fatal disease, everyone probably would elect to take the vaccine because of the high risk involved.
The discussion about the annual flu vaccine is much different. The risk of getting the flu is only partially solved by the vaccine, and the risk isn’t great – you may feel bad for a week or two, but you’ll survive. So, many people skip the annual flu vaccine because it’s not a total solution, the probability of catching it may be low, and the risk if you do catch it isn’t great. Now, if you’re vulnerable to a certain strain of disease because of your nature or environment, then that changes the probability, risk or outcome.
So, how does this tie to ClearPath Forward™? The same logic can be applied to how and when we patch our systems. We need to evaluate the risk involved for each vulnerability or problem and assess it in our environment. This is done for us by the CVSS (Common Vulnerability Scoring System) which rates each vulnerability on a scale of 1-10. The more severe the vulnerability, the more likely and quickly we’ll patch the system. CVSS has three parts – base score (how severe the outcome in the worst case), the temporal score (how severe is the outcome now – think how easily it could be spread or used in an attack), and the environmental score (how severe it is to your environment). But even with severe vulnerabilities, just like diseases, they may not affect all systems equally, or certain people or systems are immune to them (for various reasons).
With people, heredity and background contribute to the differences in resilience against diseases (but remember, I’m not a doctor). With computer systems, it comes down to architecture. That’s where ClearPath Forward is more immune to common vulnerabilities because of its heredity. The latest ClearPath Forward systems have evolved and been derived from the same secure architecture that began these mission critical systems, more than 50 years ago. Both ClearPath MCP and OS 2200 weren’t affected by the latest WannaCry ransomware, because of their architecture (more on this in my next blog). The other systems which make up the ClearPath environment weren’t affected either, since they blocked the attack through hardening (the default security environment) of the platform.
That doesn’t mean that you don’t have to patch ClearPath Forward systems. You should. Fixes come out every day to issues that are found with the software (and a weekly summary of the fixes available can be emailed to you; go to the Unisys support website http://www.support.unisys.com to sign up). Each patch (called a PLE or Problem List Entry) is assessed with regard to criticality to your environment, whether it has a security impact on your environment, and if it addressed a vulnerability. But the risk of not patching is much lower than on commodity architectures. You can schedule when you install patches rather than panic to install them when they come out, or wait until Tuesday when the next batch comes out.
It all comes down to thinking security – evaluation of risk and then action. ClearPath’s architecture minimizes the risk of most vulnerabilities because they just don’t affect it as they do commodity architectures.