Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability and Patch Management

Published byGeraldine Fletcher Modified over 10 years ago

Similar presentations

Presentation on theme: "Vulnerability and Patch Management"— Presentation transcript:

1 Vulnerability and Patch Management
Dr. Thomas Moore, Ph.D. EMBA, BCSA, BCSP, CISSP, CISM, LCNAD

2 Vulnerability Management:
What, why, how

3 What is Vulnerability Management?
The ability to assess and secure multi-platform environments. Protection from internal vulnerabilities such as: Machines that do not have the latest hot fixes or service packs loaded People who have inappropriate rights to files and directories Users who have no passwords or easily guessed passwords Accounts that have not been disabled once an employee is no longer with the company Employees who are going against corporate policies and who are sending s with inappropriate content Protection from external vulnerabilities such as: Unknown/unsecured IP devices Open ports Easily guessed passwords

4 What is Vulnerability Management?
Combination of management and security tools into one product. Examples of Management tools: Automated documentation for disaster recovery Disk space analysis Content scanning (MS Exchange) Mailbox moves (MS Exchange) Change impact analysis (MS SQL) The ability to audit and document your improved security. Requisite in banking/healthcare/government or any highly regulated industry Staff augmentation (cost savings)

5 Why Vulnerability Management
According to Gartner: Security continues to be one of the top three issues for CIOs. Windows, IIS and SQL Server are the three key areas prone to attack. 2004 was the first time that the security budget for the average enterprise constituted more than 5% of the overall IT budget – showing up on the CIO’s pie chart

6 Why Vulnerability Management
Also according to Gartner, some ways to quantify what you do are: What percentage of known attacks is the organization vulnerable to? When was that percentage calculated? What percentage of company software, people and supplies have been reviewed for security issues? What percentage of downtime is the result of security problems? What percentage of nodes in the network are managed by IT?

7 CIO Magazine/PWC survey,15OCT04:
The top three security-related organizational priorities for 2004 were: Raise end user awareness of policy & procedures – 55% Train staff – 41% Develop security policies and standards – 35% This same survey stated that 80% of North American companies used liability as a justification for security investments. Also in the study, security investments are justified due to: Liability/exposure – 69% Regulatory requirements – 53% Revenue impact – 40%

8 Vulnerability Management: More Insight
According to a Summer 2003 InfoPro Study, the top operational problems or pain points that are driving spending are: * Audit/compliance related – 41% * Technology related – 40% * Standards related – 16% “The numbers are staggering: 82,094 new vulnerabilities discovered in software and hardware last year. That's up 64 percent from And in the first quarter of this year alone, the number was 76,404. The volume of flaws found has been rising at an alarming rate for as long as people have kept statistics.” --eWeek, Aug. 11, 2003

9 VM Trends Windows and .NET Magazine (May) 2002 vs. 2003 Study Results
Manage infrastructure still #1! OS upgrades and security (equal) * “Which of the following would you say is your company's highest priority technology initiative for IT in the next year?” * Hardware upgrades not asked in 2002.

10 Why implement a VM solution?
Multiple threats across a complex IT infrastructure Multiple IT Managers are accountable for specific pieces of the infrastructure, but not all Native tools do not provide enterprise-level, consolidated assessment and audit A breach in any one area can affect the entire infrastructure Organizations must comply with some mandated standards and practices across the enterprise Time and efficiencies gained

11 Quick Quiz: 1. How many machines does it take to make a network completely vulnerable? 2. Name three ways a network may be vulnerable?

12 Risk Management Lifecycle
Repeat Define Rules Policy Compliance Vulnerability Management Directory Administration & Migration Certify/ Verify Publish Remediate Audit/ Analyze >> Assign Notify

13 More Coverage + Complete Policies = Less Risk
Benefits of Lifecycle Increase audit coverage and frequency Look at ALL your servers and workstations, ALL the time Provide policies to measure against Achieve constant state of audit Objective: Describe the technical benefits of an automated risk management lifecycle Notes: “By implementing an automated Risk Management Lifecycle, you will be able to conduct audits on all your workstations and servers, not just a sample. In addition, you will be able to do it more than four times per year. And the audit will based on specific policies that meet the criteria of the regulatory standards as well as best-known security standards. In essence, you can put your company in a constant state of audit with the push of button, thereby reducing the likelihood that you’ll experience a security or compliance breach.” More Coverage + Complete Policies = Less Risk

14 Automating the Lifecycle
What percentage of your machines do you audit regularly today? For best security, how many should you audit? How often do you complete your audit cycle? Only an automated solution can: Audit 100% of machines Increase your audit frequency Decrease the time to remediate Reduce risks AND reduce costs at the same time

15 Sustainability Is this more work than you are doing today?
YES!! And it will continue to grow… Start Now! With all the other things that are going on, how can I not only create – but maintain a secure environment. Create Policies Automate Assessment with software tools (VM) Remediate (VM) Evaluate (VM) Start Over! (VM – using scheduling)

16 Any pitfalls? Technical:
Depth of reporting (granularity, ad-hoc VS predefined) Closed loop problem identification and Remediation Scalability Agents and their associated maintenance parallel processing Lack of centralized management (combination of security, auditing and management tools bundled into product)

17 Other benefits Business reasons:
30-70% reduction in business losses due to downtime 20-70% reduction in lost opportunity costs 20-50% reduction in mediation, recovery time and associated costs 10-30% reduction in lost productivity of non-IT personnel 1-2% legal exposure and costs 10-30% deployment and maintenance

18 Testimonials “(VM) solutions reduced our business loss and downtime when NIMDA hit.” “…put out the 1.1 million hits that we took. That was huge.” – Large mid-west financial organization “…vulnerability management solution, we realized more than $1,000,000 in ROI.” – Florida Hospital

19 Total Devices – Managed – Unmanaged
New trends Non-credentialed scans Benefits Cross-platform Doesn’t require administrative rights to scan device Keep up with the latest vulnerabilities O/S Fingerprinting with version identification Identify every IP device on the network Total Devices – Managed – Unmanaged Rogue Machines

20 Platform Coverage Operating Systems
bv-Control for Windows, Active Directory and Web Services bv-Control for NetWare and bv-Control for NDS eDirectory bv-Control for Unix bv-Control for OS/400 Applications bv-Control for Microsoft Exchange bv-Control for Microsoft SQL Server bv-Control for Oracle bv-Control for CheckPoint Firewall-1 bv-Control for SAP Other RMS Console bv-Control for Internet Security

21 Patch Management

22 What is a patch? A patch, or Hot Fix, is an updated file or set of files (exe, dll, sys, etc) that fixes a software flaw Two types of patches: Security patches: Patches that address known security vulnerabilities Non-security patches: Patches that improve performance or fix functional problems Service Packs Contains all previously released security and non-security patches (rollups) Contains new patches also

23 Race Against Time Companies have less time to patch software flaws before Internet worms hit their computer systems. Name of Worm Vulnerability Alert Number of Days Worm Released Melissa Dec. 1, '99 65 March 27, '99 Sadmind Dec. 29, '99 496 May 8, '01 Sonic July 18, '00 104 Oct. 30 '00 Bugbear March 29, '01 550 Sept. 30, '02 Code Red June 18, '01 31 July 19 '01 Nimda Aug. 15 '01 34 Sept. 18 '01 Spida April 17, '02 May 21, '02 SQL Slammer July 24, '02 185 Jan. 25 '03 Slapper July 30, '02 46 Sept. 14, '02 Blaster/Welchia/Nachi July 16, '03 26 Aug. 11, '03 Witty March 18, '04 2 March 20, '04 Sasser April 13, '04 17 April 30, '04

24 What is patch management?
The process, through which companies… determine which patches are missing from their environment deploy those patches to end user machines verify patches were successfully deployed Automation is a key element of the patch management process. – Computerworld July 2003 “The number of patches released makes it almost imperative to employ automated solutions” –Gartner

25 Two Key Components Assessment Packaging & Deployment
An analysis to determine whether or not a target machine is patched The distribution of a patch to a target machine Packaging & Deployment -the key components map back to the process on the previous slide -refer back to the gap analysis

26 w/ software deployment
Deployment Options Patch Assessment Option #1: Packaging Option #2: Deploy to end-user Deploy to end-user w/ software deployment

27 Patches for OS Platforms
Companies have to manually create and keep up to date a spreadsheet illustrating which patch goes for which operating system!

28 Check in with the experts
The manual process of patching thousands of workstations and servers in an environment is “nearly impossible”. (Computerworld/July 14, 2003) “Gartner estimates that IT managers now spend up to two hours every day managing patches.” (Computerworld/July 14, 2003)

29 Patch Assessment-Considerations
Audit the patch process Why is patch needed? Reboot required? Unsigned driver? Conduct an in-depth assessment CVE number Affected product Reason patch is missing Bulletin ID & name

30 Patch Assessment, how A comprehensive meta document, called MSSECURE.XML, provides the intelligence used to analyze whether or not a patch is installed. It contains security bulletin name and title, detailed product specific security hotfixes, including: Files in each hotfix package with their file versions and checksums Registry keys that were applied by the hotfix installation package Information about which patches supersede other patches Related Microsoft Knowledge Base article numbers Third party analysis of threats posed by a patch’s vulnerability Links to additional information from BugTraq, cross references to CVEs, and more

31 Patch Deployment Patch packaging Wizard-based package creation
Decentralized, scalable patch distribution method Packaged using standard technology Patch Deployment Packaged UI Centralized patch depolyment Ad-hoc patch distribution Test deploy

32 Patch Package – Bat File Creation
This is the bat file an admin would have to create for each machine in order to process the deployment. HUGE! Example bat file created to install patches. Without BindView you would have to create this manually for every workstation and patch.

33 Solution considerations
Agentless Scalability Scheduling Baselining Executive reporting/view Detailed patch analysis Comprehensive pre-patch auditing Post patch verification auditing Flexible/comprehensive patch selection (critical patches) Flexible patch deployment (critical servers) Office CD central source Rollback capabilities

34 Common Patch Management Tools in Enterprise Environments
Microsoft Baseline Security Advisor (MBSA 1.0, 1.2) Microsoft Software Update Service (SUS) Microsoft Systems Management Server (SMS 2.0, 2003) Active Directory Group Policies

35 Microsoft Baseline Security Advisor (MBSA 1.0, 1.2)
Designed for small to medium businesses (less than 500 machines or 1500 users No centralized management server or reporting services No distributed agents for data collection Does not distribute patches When used with SMS, developers still have to manually create patch packages

36 Microsoft Software Update Service (SUS)
Corporate windowsupdate.com Does not evaluate “back office” applications such as Exchange or IIS No reporting, only basic log analysis No distributed agents or distribution points

37 Microsoft Systems Management Server (SMS 3.0)
Does not specifically target security Software deployments (including patches) must be created manually No easy way to report on only security patch deployments

38 Active Directory Group Policies
Not designed for patch deployment Cannot report on software deployments Targeted distribution points is cumbersome. You must use multiple GPOs which is not recommended Cannot monitor software pushes

39 Q&A

Download ppt "Vulnerability and Patch Management"

Similar presentations

WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Why Improve Datacenter Automation? “ Studies show up to 80% of network availability incidents and 60% of security issues can be tied to human error” CIO.

Why Improve Datacenter Automation? “ Studies show up to 80% of network availability incidents and 60% of security issues can be tied to human error” CIO.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Managed Host Security – Patch Management   BigFix Deployment April-September 2004 Jay Stamps, ITSS Turing Auditorium, May 21, 2004.

Managed Host Security – Patch Management   BigFix Deployment April-September 2004 Jay Stamps, ITSS Turing Auditorium, May 21, 2004.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Introduction to Network Defense

Introduction to Network Defense
Patch Management and HFNetChkPro 4.0

Patch Management and HFNetChkPro 4.0
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.

Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.

Similar presentations

Ads by Google