Pumpkin Patch (image by wildcat_dunny)

So you’ve decided to start a quarterly or bi-annual patch program, you may find yourself thinking: “Do I really need to patch *everything*?  What are the highest priority patches that I need to apply for the best risk reduction?”

The good news is that a lot of ICS vendors are stepping up their game on patching.  Vendors like OSISoft are testing Microsoft patches on certain Tuesdays to ensure compatibility with their software, and publishing lists of approved patches after running a full suite tests with the OS updates.

Still, applying every last little patch for a system is time-consuming, nerve-wracking, and patches still carry risks.  The best bet is to go after the hardest-hitting patches: the patches that are likely to be used by automated attacks and perhaps even by individual attackers.  I’ll be showing how to automate this process with Nessus in my upcoming course at the EnergySec conference.
The best way to find your ‘high priority patches’ are to reconcile your list of installed applications that are network-listening with the list of services that are running with high privileges.

On Windows, a lot of vendors install services to run with the SYSTEM account.  This is the equivalent of running a process as Administrator.  It’s not just ICS that is guilty here — even security services like Symantec often run as SYSTEM.  When vendors run their software as SYSTEM, they end up getting big nasty black, purple, and yellow eyes when a bug is found in their software.  That’s because hackers and worms go after the service, and when they succeed they get full control of the compromised system.

In truth, most services don’t need this kind of privilege, even those that listen on a network port.  The best strategy where patching is concerned is to 1) build a list of all network-listening, SYSTEM-privileged processes are running, 2) patch these services with the highest priority, and 3) consult with your vendor to determine if the services really need SYSTEM privileges.

To find what privileges your services are running with in a spreadsheet-friendly form, you can execute this command from the Windows command-line:

wmic service get pathname where startname=”LocalSystem”

This will display a list of executables that are running on your system with SYSTEM privileges.  Now run

netstat -anb

To display listening network processes on your system.

If we merge the results of the two outputs, we’ll quickly see which privileged services have listening ports.  These are the services that are going to be attacked by worms and other malware, and these are the services that should be patched first.

Image by wildcat_dunny