On the afternoon of October 6, 1973, Egypt and Syria launched attacks against Israel by crossing the Suez Canal into the Sinia desert and by breaking through to the Golan Heights. The surprise in the attack was not only because it to place on both Yom Kippur the holiest say in the Jewish calendar and coincided with Ramadan, the sacred month of fasting in Islam but rather from big intelligence fails on the Israeli side.
One thing was the compelete underestimation of Arab capabilities. The Israelis lived with the impression that neither Egypt or Syria could launch large-scale military offenses and even less do it together. Nothing in their intel suggested this.
They also failed to heed warnings that were given. For instance, King Hussein of Jordan had in secret meetings discloused and warned Israeli official that the current status quo was unsustainable.
Also any request to increased survelliance and to start using the army’s sophisticated listening devices in Egypt was continously rebuffed.
Finally, a sense of complacency in the Israeli intelligence community had spread after their decisive victory in the six-day war in 1967.
But what is the connection to today and patch management of critical infrastructure?
How to think about Patch Management?
We all know that closing vulnerabilities that can potentially be exploited through patch management is very important when it comes to security so I will not talk about that.
The problem in critical infrastructure is that there are to many vulnerabilities to patch and to little time to do it. How to make decisions in patch management?
When I say vulnerability I am generally refering to a CVE that is logged in the NVD database (NVD – Vulnerabilities (nist.gov)) and that have been classified with a CVSS value (Common Vulnerability Scoring System Version 3.1 Calculator (first.org)). If you are not familiar with thoose two concepts please look them up.
Example
A not uncommon strategy is to use the CVSS value as the basis for deicsionmaking on when to patch. Let us look at two examples of vulnerabilities. They might not be directly related but you can just browse the database and find similar examples.
Now imagine you only have the possibility/time to patch one of the vulnerabilities. Which one would you pick? If you strategy was solely based on the CVSS you would opt for the Android phishing attack given by its higher score.
But think for a moment. That one first of all requires user interaction, you are still in charge here, just do not click the link! The second one does not but is a silent MITM attack.
Also if you think of it in terms of asset value. Would you rather loose the function of your phone or the function of your pacemaker? For me at least the answer was easy, my heart is quite precious to me.
The duality of CVSS
The problem here is that we put way to much trust in numbers, the higher one gets out attention. And that is is calculated from a few base values that are not set by you. I sometimes call CVSS a pathological lier since you can never know when it gives a true a false estimate of the vulnerability.
Since you can not patch every vulnerability you need to do your own assessment and mitigate vulnerabilities in different ways. So what to do?
- The first step is to at least use the environmental variables that you also can set in the calculator. You probably have components from different vendors in your system and they can help with that.
- Secondly define a way of quickly decide on each vulnerability based on your own knowledge of you systems.
- Two simple ways could be to create a diagram that take into account functional impact (safety aspects) of you system
- Or you could define a decision tree that you follow for each vulnerability (e.g., patch now, next or never)
Summary
You will never be able to patch everything so you need to work out a decision strategy that works for you so that you base your decision on the correct information. The CVSS out of the box is not good intel and could lead to you making the wrong decision and get taken by a surpsrise attack that Israel faced in the Yom Kippur war. In the end though Israel recuperated from the initial onslaught and made progress on the battlefield and some extent can be called the winners of the war but it also in the end led to hugh changes in the region and set the stage for furture negotiations and conflicts.
So stay prepared, gather the right intel and make well-founded decisions when patching.
Intersection Security 
Leave a comment