Presentation on theme: "Patch Management: It’s Not Just About the OS Anymore Adam Carlson CSO, RSSP Department UC Berkeley."— Presentation transcript:
Patch Management: It’s Not Just About the OS Anymore Adam Carlson CSO, RSSP Department UC Berkeley
Agenda Some Info About The Problem Aggravating Factors Mitigating Controls Choosing a Solution On With the Real Information
What Is The Problem? Over Time Vulnerabilities Are Discovered Exploited In Ways That Avoid Detection Difficult To Prevent Priority One According To SANS The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.- Gene Spafford
What Types Of Applications? Adobe Reader * Adobe Acrobat * Adobe Photoshop Adobe Flash Player * Java Runtime Environment * Quicktime * Firefox * ITunes * Skype * Thunderbird Winzip MSN Messenger RealPlayer * DameWare Mini Remote Control Winamp * 7-zip FileZilla VLC Sophos Anti-Virus Symantec Anti-Virus Foxit Pidgin In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
But Patching Gives Me The Chance To Reconnect With My Users Source:
What Makes Things Worse Users With Local Administrator Lack of Centralized Patch Managmeent Lack of Good Auditing/Inventory Software Software Vendors Users "On the negative side, I've been getting charged for a ton of stuff I didn't order lately. On the positive side, I did win that 'Who's Got the Best Password' contest on AOL last week." — Spike Donner.
Some Things You Can Do No Local Administrator Rights Web Proxy or Central Server for Web Surfing Scanning/Filtering Strong Browser Security Settings / No Script Firefox Add-On All of The Normal Things −Patch OS, Run A Firewall, Intrusion Detection, Anti- Virus, Anti-Malware Other Suggestions?
Patch Management Solutions BigFix Patchlink Shavlik Lumension Altiris Many Centralized Control Suites (GFILanguard, Kaseya, etc.) Secunia Personal Software Inspector Others?
Choosing The Right One Support for Applications in Use Auditing/Discovery Capabilities SLA That Promises Release Timeline Cost Complexity Release Engineering Capabilities Others?
Questions? “People in general are not interested in paying extra for increased safety. AT the beginning seat belts cost $200 and nobody bought them.” -Gene Spafford