Upload
tranduong
View
216
Download
3
Embed Size (px)
Citation preview
1
A Best Practice Approach to Third Party Patching
Mike Grueber Senior Product Manager
A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012
90% of successful attacks occurred against
previously known vulnerabilities where a patch
or secure configuration standard was already
available.
Terrence Cosgrove Gartner Symposium/IT Expo “Managing the Next Generation Desktop”
A Best Practice Approach to Third Party Patching 2
Effective patch management is essential
SYMANTEC VISION 2012
Agenda
A Best Practice Approach to Third Party Patching 3
Importance of third party applications 1
The “4A” model: A best practice approach 2
Tips and tricks 3
Additional resources 4
SYMANTEC VISION 2012
Top 15 Most Vulnerable Applications
4
Application Total High Medium Low Score
Apple Safari 81 2 71 8 413
Mozilla Firefox 44 3 30 11 236
Goggle Chrome 61 1 30 30 205
Microsoft Internet Explorer 34 1 30 3 178
Adobe Flash Player 34 0 34 0 170
Adobe Reader 34 0 34 0 170
Java Runtime Environment 28 5 5 18 168
Adobe Acrobat 32 0 32 0 160
Adobe Air 28 0 28 0 140
Mozilla SeaMonkey 26 1 20 5 130
Microsoft Office 22 0 22 0 110
Mozilla Thunderbird 18 1 14 3 98
Adobe Shockwave Player 18 0 18 0 90
Oracle Database Server 9 3 0 0 81
Microsoft Visio 3 3 0 0 75
Based on data feeds from National Vulnerability Database
A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012 5
“IT organizations must strive for continuous improvement in vulnerability detection and rapid security patch management, especially in often overlooked non-Microsoft components that are web-facing.”
“All internet-based applications especially browsers and browser plug-ins (i.e., Adobe and Apple QuickTime), should be a top patching priority.”
A Best Practice Approach to Third Party Patching
Gartner Research Note, “Top 10 Steps to Avoid Malware Infections”
Internet Browsers and Plug-Ins
SYMANTEC VISION 2012
Internet Security Report Year in Review
A Best Practice Approach to Third Party Patching 6
30% increase in overall number of vulnerabilities (6,253) 161% increase in new vendors affected by vulnerabilities Chrome and Safari vulnerabilities on the rise 346 vulnerabilities affecting browser plug-ins
SYMANTEC VISION 2012
Third Party Coverage
7 A Best Practice Approach to Third Party Patching
Altiris Patch Management Solution 7.1 SP1+
7-Zip Citrix Virtual Desktop Agent Opera
Adobe Acrobat Citrix XenApp Oracle OpenOffice.Org
Adobe AIR Citrix XenDesktop Rarlab WinRAR
Adobe Flash EMC Mozy RealPlayer
Adobe In-Design Foxit Reader RealVNC
Adobe Reader Google Chrome RIM Blackberry Desktop Manager
Adobe Shockwave Player Google Desktop Skype
AOL Instant Messenger Google Earth SourceForge.Net Audacity
Applie iTunes Google Picasa SourceForge.Net FileZilla
Apple QuickTime Google Talk SourceForge.Net Pidgin
Apple Safari HP System Management Homepage Sun Java Runtime Environment
Citrix Delivery Controller SDK LibreOffice UltraVNC
Citrix MetaFrame XP for Microsoft Windows Lightning UK ImgBurn VLC Media Player
Citrix Password Manager Console/Agent/Plug-In Mozilla Firefox WinZip
Citrix Presentation Server for Microsoft Windows Mozilla SeaMonkey Wireshark
Citrix Provisioning Services Mozilla Thunderbird Yahoo Messenger
Citrix Single Sign-On Console/Agent Nullsoft Winamp
SYMANTEC VISION 2012
The “4A” model: A best practices approach
A Best Practice Approach to Third Party Patching 8
SYMANTEC VISION 2012
Help Security and Operations teams strike an optimal balance between risk and cost
Security Team: Risk
Vulnerabilities:
• Coverage
• Timeliness
Operations Team: Impact & Cost
Patches & Workarounds:
• Coverage
• Accurate priorities
• Optimal process
• Minimal impact
The Primary Challenge
9 A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012 A Best Practice Approach to Third Party Patching 10
Impact Report
Risk Assessment
Compliance Report
Remediation Strategy
Security
Team
Change
Management Team
Computer
and Server Admins
The “4A” Model
SYMANTEC VISION 2012 A Best Practice Approach to Third Party Patching 11
The “4A” Model – Assessment Phase
• Primary Role: Security Officer
• Inputs:
• Security advisories/bulletins and threat management alerts/feeds
• List of endpoints that are likely to have a given vulnerability
• Goals:
• Learn as soon as possible about potential updates
• Perform an initial evaluation of the situation
• Assign a priority to updates
• Promptly notify the appropriate people/organizations
• Output: Risk Assessment assigning priority to each update
SYMANTEC VISION 2012
Assessment Phase – Nature of Vulnerability
A Best Practice Approach to Third Party Patching 12
SYMANTEC VISION 2012
Assessment Phase – Impact on Your Environment
A Best Practice Approach to Third Party Patching 13
SYMANTEC VISION 2012
Assessment Phase - Define Custom Severity Levels
A Best Practice Approach to Third Party Patching 14
SYMANTEC VISION 2012
Assessment Phase - Assign Custom Severity Levels
A Best Practice Approach to Third Party Patching 15
SYMANTEC VISION 2012 A Best Practice Approach to Third Party Patching 16
The “4A” Model – Analysis Phase
• Primary Role: Change Manager
• Input: Risk Assessment
• Goals:
• Identify the full scope
• Assess the potential impact
• Deliver the Remediation Strategy
• Output: Remediation Strategy, which identifies updates to be applied, endpoints to be targeted and excluded, roll back plan, etc.
SYMANTEC VISION 2012 17
• Monthly Releases • Severity 2 updates
• Rollout to begin on Thursday following second Tuesday of each month (i.e. “Patch Tuesday”)
• Bi-annual Releases • Severity 3 updates
• Rollout to begin on Thursday following monthly release during February and August
• Out of Band Releases • Severity Level 1 updates
• No set rollout schedule
A Best Practice Approach to Third Party Patching
Analysis Phase – Release Vehicles
SYMANTEC VISION 2012 18
• To mitigate risk, rollout updates to different groups of computers in phases • Test environment (lab) • Pilot group (often subset of IT group, or power users of an application) • Production (computers in production environment often broken down
into multiple groups)
• If problems discovered during testing • Defer rollout of update
• Exclude certain computers from rollout
• In addition to prioritizing updates, also prioritize groups of computers to which update will be distributed • Business criticality • Likelihood of exposure to vulnerability • System availability requirements • System redundancy
A Best Practice Approach to Third Party Patching
Analysis Phase – Phased Rollouts
SYMANTEC VISION 2012 A Best Practice Approach to Third Party Patching 19
The “4A” Model – Application Phase
• Primary Role: Computer/Server Administrator
• Input: Remediation Strategy
• Goals:
• Apply software updates on a timely basis
• Apply software updates in a manner that appropriately mitigates the risks involved
• Output: Compliance Report verifying that required updates have been successfully applied to a requisite percentage of relevant endpoints
SYMANTEC VISION 2012 20
Release Date
A Best Practice Approach to Third Party Patching
Application Phase – Phased Rollouts
Test Group (Lab)
Pilot Group (IT)
Production Group #1
Production Group #2
Production Group #3
SYMANTEC VISION 2012 21 A Best Practice Approach to Third Party Patching
Application Phase – Phased Rollouts
SYMANTEC VISION 2012 22 A Best Practice Approach to Third Party Patching
Application Phase – Phased Rollouts
SYMANTEC VISION 2012 23 A Best Practice Approach to Third Party Patching
Application Phase - Compliance Report
• Verify that expected compliance rate was achieved according to terms of SLA
• Note that Compliance Rate is calculated based on computers that have been scanned
SYMANTEC VISION 2012 A Best Practice Approach to Third Party Patching 24
The “4A” Model – Advancement Phase
• Primary Roles: All involved in process
• Inputs:
• Lessons learned
• Data analysis
• Goals:
• Ongoing evaluation and fine-tuning of process
• Continuous improvement
• Output: Process improvements
SYMANTEC VISION 2012
Installing under System Account • Some third party vendor packages (e.g. Sun JRE) cannot be installed
under System Account • By default, Patch policies install updates under the System Account • The account used to install each package can be configured in
Resource Manager
26 A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012
Disabling previously installed versions in use
• Updates to Sun JRE require that previously installed versions be disabled before installing a new version/update
• The batch file which drives the installation of Sun JRE updates does not disable previously installed versions before attempting to install the new version/update, as this could result in unexpected user disruption
• Workaround is documented in release notes (i.e. Add 'tskill java /A' command to batch file)
27 A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012
Disabling previously installed versions in use
28
• View command line information in Resource Manager
A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012
Disabling previously installed versions in use
A Best Practice Approach to Third Party Patching 29
• Locate batch file in folder for package associated with update
• Modify batch file
SYMANTEC VISION 2012
Maintaining application customizations
A Best Practice Approach to Third Party Patching
• Third party vendors such as Adobe sometimes address security issues in packages that install a full version of the application rather than in a hot fix that only updates the affected files
• Updates distributed as full installation packages may fail to preserve customizations made to previously installed versions of the application (e.g. turning off an auto update feature)
• Customizations can be “preserved” by: • Running a separate task following installation of the update; • Creating a transform file, adding the transform file to the
package folder associated with the update, and creating a custom command line for the update package
30
SYMANTEC VISION 2012
Application Customizations - Adobe Flash
A Best Practice Approach to Third Party Patching
• Auto-update configuration settings stored in mms.cfg file • For Flash 8 and later, mms.cfg is stored in the following location:
• Windows NT, 2000: \\WINNT\System32\Macromed\Flash • Windows XP, Vista: \\WINDOWS\System32\Macromed\Flash • Windows 64 bit: \\Windows\SysWOW64
31
• For more information, see: http://helpx.adobe.com/flash-player/ kb/administration-configure-auto-update-notification.html
Parameter Default Description
AutoUpdateDisable 0 • 0 allows auto-update based on user settings. • 1 disables auto-update.
SilentAutoUpdateEnable
1 • 0 allows background update. • 1 disables background update.
SYMANTEC VISION 2012
Application Customizations - Adobe Acrobat and Reader
A Best Practice Approach to Third Party Patching
Three ways to customize installation
• Command line
• Changes to registry following distribution
• Customization wizard
• For more information, see Enterprise Administration Guide: http://helpx.adobe.com/content/dam/kb/en/837/cpsid_83709/attachments/Acrobat_Enterprise_Administration.pdf
32
SYMANTEC VISION 2012
Adobe Acrobat and Reader – Command Line
A Best Practice Approach to Third Party Patching
• Set value of Windows Installer properties on command line
33
• e.g. msiexec /i "[UNC PATH]\AdbeRdr1010_en_US.msi" EULA_ACCEPT=YES /qn
SYMANTEC VISION 2012
Adobe Acrobat and Reader – Registry changes
A Best Practice Approach to Third Party Patching
• Administrator’s Information Manager (dictionary of 450 registry/plist preferences)
• Example #1 – Disable automatic updates and remove associated user interface items
34
SYMANTEC VISION 2012
Adobe Acrobat and Reader – Registry Changes
A Best Practice Approach to Third Party Patching
• Example #2 – Disable prompts for upgrades to next major version (e.g. 10.0 to 11.0)
35
• For more information, see http://learn.adobe.com/wiki/
download/attachments/46432650/AIM.air
SYMANTEC VISION 2012
Adobe Acrobat and Reader – Customization Wizard
A Best Practice Approach to Third Party Patching
• Free utility that enables pre-deployment installation customization
• Creates transform file that gets applied to .MSI at installation time
36
• See: ftp://ftp.adobe.com/pub/adobe/acrobat/win/10.x/
10.0.0/misc/
SYMANTEC VISION 2012
Adding Transform File to Software Update Package
A Best Practice Approach to Third Party Patching 37
SYMANTEC VISION 2012
Creating Custom Command Line
38 A Best Practice Approach to Third Party Patching
SYMANTEC VISION 2012
Additional Resources
39
• For tips and tricks on installing applications and updates to those applications, see IT Ninja (formerly AppDeploy): www.itninja.com/tips
• For informative discussions among system administrators regarding the distribution of software updates, subscribe to the Patch Management Mailing List: www.patchmanagement.org
• For more questions and answers regarding use of the Altiris Patch Management Solution, see Symantec Connect: http://www.symantec.com/connect/endpoint-management/forums
A Best Practice Approach to Third Party Patching
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
A Best Practice Approach to Third Party Patching 40
Mike Grueber