Several years ago my wife and I enrolled in country western dance lessons offered in our community. I have a reputation for being challenged in the areas of rhythm and coordination, but it sounded like fun. Over several weeks we learned multiple dances ranging from the supposedly simple two-step to more complex dances. I learned that I could manage on a dance floor as long as I stuck to the basic dances like the two-step and that I never would have rhythm or coordination.
Over the last several months I have been continually reminded of the two-step when I do vulnerability scanning. How do the two relate? Well, specifically when reviewing missing patches with a vulnerability scanner, I have been noticing that some Microsoft patches require two steps for them to be fully effective. If you run Windows Update to check for patches or use a third-party patch tool, the results will return that no patches are missing. However, that is not the case. Some patches require the user to take action after the patch is installed. Examples of this action include creating and setting a registry key or setting a Group Policy setting. Thankfully Microsoft releases patches that require additional action rarely and provides good documentation for what is required to enable the patch. Microsoft also has a good reason for requiring the second step. These patches have the possibility of impacting system functionality or performance, so the user is given the option of enabling the patch.
How does a user know when a patch requires additional action for full installation? There are a couple of different ways. First, read the release notes. This should be done as part of testing with all patches for all software so that you are aware of the changes being made and any possible impact to the systems. An example of one vulnerability that requires two steps to mitigate is contained in the July 2017 Microsoft Cumulative Update, KB4025339. This update contained fixes for 42 different vulnerabilities, known as Common Vulnerabilities and Exposures (CVE). Each CVE is assigned a number. Searching for each CVE number in the Microsoft Cumulative Update leads to more information on the vulnerability. The information on one of the July 2017 vulnerabilities, CVE-2017-8563, indicates in the FAQ section that further steps are needed to be protected. Digging down through the information for all 42 vulnerabilities would be quite a chore. Luckily, some vulnerability scanners can assist in identifying which patches need additional action in a more streamlined manner.
Vulnerability scanners do not replace the need to review and test patches prior to deployment. However, they can help identify new systems and software on your network and identify vulnerabilities present. Vulnerability scanners are a compliment to the traditional patch management process; allowing you to proactively manage vulnerabilities rather than blindly hoping you are safe.
Vulnerability scanners also allow for verification that current patch management controls are effective and some vulnerability scanners are aware of patches requiring multiple steps and check first for installation, then to see if the appropriate setting is configured. Introduction of a vulnerability management program into your environment, using vulnerability scanners to complement the patch management process, will allow for the establishment of rhythm and coordination that will allow for you to get ahead of the patches that do require more than a simple install. Most importantly, it will allow more time for you to polish your two-step.