Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Identification & Patch Management Nate Howe Vice President of Risk Management.

Published byAlberta Sybil Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "Vulnerability Identification & Patch Management Nate Howe Vice President of Risk Management."— Presentation transcript:

1 Vulnerability Identification & Patch Management Nate Howe Vice President of Risk Management

2 Has this happened to you? “Fix all these issues by the end of the week…” 2

3 My Background Performed IT audits and delivered many “Needs Improvement” reports. Transitioned to security management and now I am the one being audited. In the new job, I build processes to fix our known issues. We were missing Microsoft patches labeled MS02-, MS03-, but unfortunately, it was 2007. 3

4 Vulnerability Scanning Techniques Vulnerability scanning over the network Agent-based scanner installed on each system Non-authenticated versus authenticated scans All of these have the potential to produce large volumes of report data, but do we know which actions to take? 4

5 Vulnerability Scanning Limitations Reports detail system health, but tell us little about our organization’s security processes. Network segmentation or host-based firewalls may result in clean vulnerability scan results, despite improper system configurations. A network vulnerability scan may tell us nothing about how the system will respond when an end user opens an infected Office document. 5

6 Vulnerability Root Causes Big vulnerability reports detail the symptoms, but what are the root causes? –Do we have hardening standards for disabling unnecessary services? –Do we configure non-standard passwords? –Do we perform routine maintenance including patching? 6

7 Quick Poll Would you rather have a Windows computer that was fully patched but had no anti-malware utility… …or a Windows computer with no patches but had an anti- malware utility with current definitions? 7

8 Quick Poll Would you rather have a Windows computer that was fully patched but had no anti-malware utility… …or a Windows computer with no patches but had an anti- malware utility with current definitions? 8

9 SANS Top Vulnerabilities Client-side Vulnerabilities in: –C1. Web Browsers –C2. Office Software –C3. Email Clients –C4. Media Players Server-side Vulnerabilities in: –S1. Web Applications –S2. Windows Services –S3. Unix and Mac OS Services –S4. Backup Software –S5. Anti-virus Software –S6. Management Servers –S7. Database Software Security Policy and Personnel: H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media Application Abuse: A1. Instant Messaging A2. Peer-to-Peer Programs Network Devices: N1. VoIP Servers and Phones Zero Day Attacks: Z1. Zero Day Attacks 9

10 SANS Top Vulnerabilities Client-side Vulnerabilities in: –C1. Web Browsers –C2. Office Software –C3. Email Clients –C4. Media Players Server-side Vulnerabilities in: –S1. Web Applications –S2. Windows Services –S3. Unix and Mac OS Services –S4. Backup Software –S5. Anti-virus Software –S6. Management Servers –S7. Database Software Security Policy and Personnel: H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media Application Abuse: A1. Instant Messaging A2. Peer-to-Peer Programs Network Devices: N1. VoIP Servers and Phones Zero Day Attacks: Z1. Zero Day Attacks 10

11 Reactive, not Proactive Lack of patch management leaves our systems at risk, plus we receive poor vulnerability scores. Vulnerability scanners identify symptoms and we react by installing specific patches to resolve point-in-time issues. “Insanity is doing the same thing over and over again and expecting different results.” 11

12 The Better Option Consider patching to be required preventive maintenance. Would you drive a car and never change the oil? I may be 500 miles late to get an oil change, but I don’t want to be 5,000 miles late. When does breakdown become inevitable? 12

13 Organization Are we reacting to an auditor issue, or do we recognize our responsibility for patch management? Who is accountable for patch management? Who will double-check the work and produce vulnerability metrics? Do we have an accurate IT asset inventory and have we agreed on what to patch? 13

14 What should we patch? Anything with a communication jack (network or modem), until you can justify otherwise. Do not forget the applications [and therefore the business users]. Do not forget proprietary systems, appliances, Cisco IOS, physical security systems, ATMs, VoIP, firmware, printers & copiers, PDAs, and more. Anti-malware definitions and engine updates are patches, too. 14

15 Process How quickly should patches be installed? Will we allow system Automatic Updates? How will we become aware of the latest patches? Do patches require change control approval? When are the maintenance windows? Do we have testing procedures and test users (both IT and business)? Have we identified vendor dependencies? Do we have a phased rollout and a fallback plan? Can end users delay or cancel a patch? Will we do manual installations or use automated tools? 15

16 Challenges What if I disrupt an entire department or business process? Do I know the system owners and will they approve patches? When can I reboot these systems? What if I ‘shoot myself in the foot’ on a remote system? Will there be perceived performance issues when a system is powered on and patches start installing? Will there be a WAN impact? Am I harming the environment and wasting money if I keep systems powered on all night? 16

17 Unexpected Benefits The latest worm makes mainstream news, but you are already patched and do not have a fire drill. When vendors are troubleshooting, they often start with ‘I see you have not installed the latest version.’ Support and training are easier when systems are consistent. 17

18 Conclusion Traditional network perimeter controls are less relevant today because: –laptops enter hostile environments –attack vectors such as end user documents and web surfing Preventive maintenance is our professional responsibility. More sophisticated challenges need our attention once system maintenance processes are operating. Hardening standards, new system certification, patching, and self-assessments make the audit experience easier. 18

19 Next Steps Get valid data about your environment (inventory, discovery, scan reports). Identify the problems and propose solutions. Assign responsibility. Create processes to test and install patches. Educate your end users. Measure at least monthly and track the progress, take credit for your successes and admit your mistakes. Contact your industry colleagues and exchange ideas. Try it manually before you buy tools. 19

20 Nate Howe natehowe@hotmail.com 20

Download ppt "Vulnerability Identification & Patch Management Nate Howe Vice President of Risk Management."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
ICASAS305A Provide Advice to Clients

ICASAS305A Provide Advice to Clients
Security Controls – What Works

Security Controls – What Works
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
The Cost of Cheap Understanding Your IT Investment Options.

The Cost of Cheap Understanding Your IT Investment Options.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.

ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.

Similar presentations

Ads by Google