One common situation that we see occurring in financial institutions is that IT departments apply patches diligently, but that vulnerability management systems still show some patches are missing. The number of seemingly missing patches grows in the vulnerability management report over time. When asked about this, the IT department will often respond that the vulnerability management system is incorrect because the systems show the patches are installed. In reality, the cause of the discrepancy is usually that there are additional steps required to activate the patch once it is installed.
Microsoft will often release a patch that requires a registry key to be added to the system to fully implement the patch. Patch management systems do not usually verify that these registry keys have been added. Vulnerability management systems, however, will verify not only that the patch is installed but also that the registry keys have been added.
Before calling a missing patch detected by a vulnerability scanner a “false positive”, we recommend thoroughly researching the patch to make sure that there is not a requirement to add a registry key. These keys can usually be easily added by IT using a Global Policy Object (GPO), making it easy to quickly eliminate many vulnerabilities in a short period of time. Sources of information while doing this research should include:
- The website of the vendor that distributed the patch. A mention of the registry key requirement is not always prominent on vendor websites, so be sure to review the entire description of the patch.
- Vulnerability management system data. Most vulnerability management systems will provide information regarding why the system believes a system is vulnerable. Some systems go beyond this and provide remediation instructions. The information is sometimes buried in the system, so you might need to dig a bit to find it.
- Vulnerability management vendor support. If you have a question regarding a specific vulnerability, chances are that someone else has already asked the question. Either search the support site for the vendor or open a support case with the vendor.
- Web searches. Performing a simple search for “MS15-124 false positive” will often provide a plethora of sites where IT professionals have previously dealt with this problem. Be sure to only select reputable sites from the results!
If your institution is experiencing problems determining which vulnerabilities are real and which might be false positives, we can help give you some direction. Shoot us an email at support@bedelsecurity.com for more information.
Additional Resources:
Changing How Vulnerabilities are Audited
https://www.bedelsecurity.com/blog/changing-how-vulnerabilities-are-audited
Information Security Strategy: 5 Tips for Success
https://www.bedelsecurity.com/blog/information-security-strategy-5-tips-for-success
Reactive or Proactive: What Makes the Best CISO
https://www.bedelsecurity.com/blog/reactive-or-proactive-what-makes-the-best-ciso
Five Key Vulnerability and Patch Management Practices
https://www.bedelsecurity.com/blog/five-key-vulnerability-patch-management-practices