Embed Size (px)
Citation preview
Vulnerability and Patch
Management
Vulnerability and Patch
Management
Dr. Thomas Moore, Ph.D.
EMBA, BCSA, BCSP, CISSP, CISM, LCNAD
Dr. Thomas Moore, Ph.D.
EMBA, BCSA, BCSP, CISSP, CISM, LCNAD
Vulnerability Management:Vulnerability Management:
What, why, howWhat, why, how
What is Vulnerability Management?What is Vulnerability Management?The ability to assess and secure multi-platform
environments.– Protection from internal vulnerabilities such as:
• Machines that do not have the latest hot fixes or service packs loaded
• People who have inappropriate rights to files and directories• Users who have no passwords or easily guessed passwords• Accounts that have not been disabled once an employee is no
longer with the company• Employees who are going against corporate policies and who
are sending emails with inappropriate content
Protection from external vulnerabilities such as:• Unknown/unsecured IP devices • Open ports• Easily guessed passwords
The ability to assess and secure multi-platform environments.– Protection from internal vulnerabilities such as:
• Machines that do not have the latest hot fixes or service packs loaded
• People who have inappropriate rights to files and directories• Users who have no passwords or easily guessed passwords• Accounts that have not been disabled once an employee is no
longer with the company• Employees who are going against corporate policies and who
are sending emails with inappropriate content
Protection from external vulnerabilities such as:• Unknown/unsecured IP devices • Open ports• Easily guessed passwords
What is Vulnerability Management?What is Vulnerability Management?Combination of management and security tools into
one product. Examples of Management tools:– Automated documentation for disaster recovery
– Disk space analysis
– Content scanning (MS Exchange)
– Mailbox moves (MS Exchange)
– Change impact analysis (MS SQL)
The ability to audit and document your improved security. – Requisite in banking/healthcare/government or any
highly regulated industry
– Staff augmentation (cost savings)
Combination of management and security tools into one product. Examples of Management tools:– Automated documentation for disaster recovery
– Disk space analysis
– Content scanning (MS Exchange)
– Mailbox moves (MS Exchange)
– Change impact analysis (MS SQL)
The ability to audit and document your improved security. – Requisite in banking/healthcare/government or any
highly regulated industry
– Staff augmentation (cost savings)
Why Vulnerability Management Why Vulnerability Management
According to Gartner:Security continues to be one of the top three issues for CIOs.
Windows, IIS and SQL Server are the three key areas prone to attack.
2004 was the first time that the security budget for the average enterprise constituted more than 5% of the overall IT budget – showing up on the CIO’s pie chart
According to Gartner:Security continues to be one of the top three issues for CIOs.
Windows, IIS and SQL Server are the three key areas prone to attack.
2004 was the first time that the security budget for the average enterprise constituted more than 5% of the overall IT budget – showing up on the CIO’s pie chart
Also according to Gartner, some ways to quantify what you do are:
• What percentage of known attacks is the organization vulnerable to?
• When was that percentage calculated?• What percentage of company software,
people and supplies have been reviewed for security issues?
• What percentage of downtime is the result of security problems?
• What percentage of nodes in the network are managed by IT?
Also according to Gartner, some ways to quantify what you do are:
• What percentage of known attacks is the organization vulnerable to?
• When was that percentage calculated?• What percentage of company software,
people and supplies have been reviewed for security issues?
• What percentage of downtime is the result of security problems?
• What percentage of nodes in the network are managed by IT?
Why Vulnerability Management Why Vulnerability Management
CIO Magazine/PWC survey,15OCT04:CIO Magazine/PWC survey,15OCT04:
The top three security-related organizational priorities for 2004 were:
• Raise end user awareness of policy & procedures – 55%• Train staff – 41%• Develop security policies and standards – 35%
The top three security-related organizational priorities for 2004 were:
• Raise end user awareness of policy & procedures – 55%• Train staff – 41%• Develop security policies and standards – 35%
This same survey stated that 80% of North American companies used liability as a justification for security investments.
This same survey stated that 80% of North American companies used liability as a justification for security investments.
Also in the study, security investments are justified due to:
• Liability/exposure – 69%• Regulatory requirements – 53%• Revenue impact – 40%
Also in the study, security investments are justified due to:
• Liability/exposure – 69%• Regulatory requirements – 53%• Revenue impact – 40%
Vulnerability Management: More InsightVulnerability Management: More InsightAccording to a Summer 2003 InfoPro Study, the top
operational problems or pain points that are driving spending are:* Audit/compliance related – 41%* Technology related – 40%* Standards related – 16%
According to a Summer 2003 InfoPro Study, the top operational problems or pain points that are driving spending are:* Audit/compliance related – 41%* Technology related – 40%* Standards related – 16%
“The numbers are staggering: 82,094 new vulnerabilities discovered in software and hardware last year. That's up 64 percent from 2001. And in the first quarter of this year alone, the number was 76,404. The volume of flaws found has been rising at an alarming rate for as long as people have kept statistics.” --eWeek, Aug. 11, 2003
“The numbers are staggering: 82,094 new vulnerabilities discovered in software and hardware last year. That's up 64 percent from 2001. And in the first quarter of this year alone, the number was 76,404. The volume of flaws found has been rising at an alarming rate for as long as people have kept statistics.” --eWeek, Aug. 11, 2003
25%
15%
14%
12%
8%
8%
5%
5%
4%
20%
15%
16%
14%
12%
8%
8%
5%
Managing Infrastructure
Operating System Upgrades
Shoring up Security
Increasing Disaster Recovery Cap
Hardware Upgrades
Application Software Upgrades
Better Support for RemoteWorkers
Expanding Storage Capacity
Implementing WirelessTechnologies
2003 Study
2002 Study
VM TrendsVM Trends
“Which of the following would you say is your company's highest priority technology initiative for IT in the next year?” * Hardware upgrades not asked in 2002.
“Which of the following would you say is your company's highest priority technology initiative for IT in the next year?” * Hardware upgrades not asked in 2002.
*
• Manage infrastructure still #1!
• OS upgrades and security (equal)
• Manage infrastructure still #1!
• OS upgrades and security (equal)
Windows and .NET Magazine (May) 2002 vs. 2003 Study ResultsWindows and .NET Magazine (May) 2002 vs. 2003 Study Results
Why implement a VM solution?Why implement a VM solution?•Multiple threats across a complex IT infrastructure
•Multiple IT Managers are accountable for specific pieces of the infrastructure, but not all
•Native tools do not provide enterprise-level, consolidated assessment and audit
•A breach in any one area can affect the entire infrastructure
•Organizations must comply with some mandated standards and practices across the enterprise
•Time and efficiencies gained
•Multiple threats across a complex IT infrastructure
•Multiple IT Managers are accountable for specific pieces of the infrastructure, but not all
•Native tools do not provide enterprise-level, consolidated assessment and audit
•A breach in any one area can affect the entire infrastructure
•Organizations must comply with some mandated standards and practices across the enterprise
•Time and efficiencies gained
Quick Quiz:Quick Quiz:
1. How many machines does it take to make a network completely vulnerable?
2. Name three ways a network may be vulnerable?
1. How many machines does it take to make a network completely vulnerable?
2. Name three ways a network may be vulnerable?
Remediate Audit/Analyze
Assign Notify
PublishCertify/Verify
Define Rules
Policy ComplianceVulnerability Management
Directory Administration & Migration
Policy ComplianceVulnerability Management
Directory Administration & Migration
Repeat
Risk Management LifecycleRisk Management Lifecycle
Benefits of LifecycleBenefits of Lifecycle
• Increase audit coverage and frequency
•Look at ALL your servers and workstations,ALL the time
•Provide policies to measure against
•Achieve constant state of audit
• Increase audit coverage and frequency
•Look at ALL your servers and workstations,ALL the time
•Provide policies to measure against
•Achieve constant state of audit
More Coverage + Complete Policies = Less Risk
More Coverage + Complete Policies = Less Risk
Automating the LifecycleAutomating the Lifecycle
•What percentage of your machines do you audit regularly today?
•For best security, how many should you audit?
•How often do you complete your audit cycle?
•Only an automated solution can:–Audit 100% of machines– Increase your audit frequency–Decrease the time to remediate–Reduce risks AND reduce costs at the same time
•What percentage of your machines do you audit regularly today?
•For best security, how many should you audit?
•How often do you complete your audit cycle?
•Only an automated solution can:–Audit 100% of machines– Increase your audit frequency–Decrease the time to remediate–Reduce risks AND reduce costs at the same time
SustainabilitySustainability
• Is this more work than you are doing today?–YES!! And it will continue to grow…–Start Now!
•With all the other things that are going on, how can I not only create – but maintain a secure environment.–Create Policies–Automate Assessment with software tools (VM)–Remediate (VM)–Evaluate (VM)–Start Over! (VM – using scheduling)
• Is this more work than you are doing today?–YES!! And it will continue to grow…–Start Now!
•With all the other things that are going on, how can I not only create – but maintain a secure environment.–Create Policies–Automate Assessment with software tools (VM)–Remediate (VM)–Evaluate (VM)–Start Over! (VM – using scheduling)
Any pitfalls?Any pitfalls?
Technical:
•Depth of reporting (granularity, ad-hoc VS predefined)
•Closed loop problem identification and Remediation
•Scalability–Agents and their associated maintenance
–parallel processing
•Lack of centralized management (combination of security, auditing and management tools bundled into product)
Technical:
•Depth of reporting (granularity, ad-hoc VS predefined)
•Closed loop problem identification and Remediation
•Scalability–Agents and their associated maintenance
–parallel processing
•Lack of centralized management (combination of security, auditing and management tools bundled into product)
Other benefitsOther benefits
Business reasons:
•30-70% reduction in business losses due to downtime
•20-70% reduction in lost opportunity costs
•20-50% reduction in mediation, recovery time and associated costs
•10-30% reduction in lost productivity of non-IT personnel
•1-2% legal exposure and costs
•10-30% deployment and maintenance
Business reasons:
•30-70% reduction in business losses due to downtime
•20-70% reduction in lost opportunity costs
•20-50% reduction in mediation, recovery time and associated costs
•10-30% reduction in lost productivity of non-IT personnel
•1-2% legal exposure and costs
•10-30% deployment and maintenance
TestimonialsTestimonials
“(VM) solutions reduced our business loss and downtime when NIMDA hit.” “…put out the 1.1 million hits that we took. That was huge.” – Large mid-west financial organization
“…vulnerability management solution, we realized more than $1,000,000 in ROI.” – Florida Hospital
“(VM) solutions reduced our business loss and downtime when NIMDA hit.” “…put out the 1.1 million hits that we took. That was huge.” – Large mid-west financial organization
“…vulnerability management solution, we realized more than $1,000,000 in ROI.” – Florida Hospital
New trendsNew trends
Non-credentialed scans
•Benefits–Cross-platform–Doesn’t require administrative rights to scan device
–Keep up with the latest vulnerabilities–O/S Fingerprinting with version identification– Identify every IP device on the network
Non-credentialed scans
•Benefits–Cross-platform–Doesn’t require administrative rights to scan device
–Keep up with the latest vulnerabilities–O/S Fingerprinting with version identification– Identify every IP device on the network
Total Devices – Managed – Unmanaged
Rogue Machines
Patch ManagementPatch Management
What is a patch?What is a patch?
• A patch, or Hot Fix, is an updated file or set of files (exe, dll, sys, etc) that fixes a software flaw
• Two types of patches:–Security patches:Patches that address known security vulnerabilities
–Non-security patches: Patches that improve performance or fix functional problems
• Service Packs–Contains all previously released security and non-security patches (rollups)
–Contains new patches also
• A patch, or Hot Fix, is an updated file or set of files (exe, dll, sys, etc) that fixes a software flaw
• Two types of patches:–Security patches:Patches that address known security vulnerabilities
–Non-security patches: Patches that improve performance or fix functional problems
• Service Packs–Contains all previously released security and non-security patches (rollups)
–Contains new patches also
Race Against TimeRace Against TimeCompanies have less time to patch software flaws before Internet worms hit their computer systems .
Name of Worm Vulnerability Alert Number of Days Worm Released
Melissa Dec. 1, '99 65 March 27, '99
Sadmind Dec. 29, '99 496 May 8, '01
Sonic July 18, '00 104 Oct. 30 '00
Bugbear March 29, '01 550 Sept. 30, '02
Code Red June 18, '01 31 July 19 '01
Nimda Aug. 15 '01 34 Sept. 18 '01
Spida April 17, '02 34 May 21, '02
SQL Slammer July 24, '02 185 Jan. 25 '03
Slapper July 30, '02 46 Sept. 14, '02
Blaster/Welchia/Nachi
July 16, '03 26 Aug. 11, '03
Witty March 18, '04 2 March 20, '04
Sasser April 13, '04 17 April 30, '04
Number of days a worm is released after a vulnerability is announced
0100200300400500600
Me
lis
sa
So
nic
Co
de
Re
d
Sp
ida
Sla
pp
er
Wit
ty
What is patch management?What is patch management?
The process, through which companies…
• determine which patches are missing from their environment
• deploy those patches to end user machines
• verify patches were successfully deployed
The process, through which companies…
• determine which patches are missing from their environment
• deploy those patches to end user machines
• verify patches were successfully deployedAutomation is a key element of the patch management process.
– Computerworld July 2003
“The number of patches released makes it almost imperative to employ automated solutions” –Gartner
Two Key ComponentsTwo Key Components
• An analysis to determine whether or not a target machine is patched
• The distribution of a patch to a target machine
• An analysis to determine whether or not a target machine is patched
• The distribution of a patch to a target machine
Assessment
Packaging & Deployment
Deployment OptionsDeployment Options
Patch Assessment
Option #1:Packaging
Option #2: Deploy to end-user
Deploy to end-user w/ software deployment
Patches for OS PlatformsPatches for OS Platforms
Companies have to manually create and keep up to date a spreadsheet illustrating which patch goes for
which operating system!
Check in with the expertsCheck in with the experts
•The manual process of patching thousands of workstations and servers in an environment is “nearly impossible”. (Computerworld/July 14, 2003)
•“Gartner estimates that IT managers now spend up to two hours every day managing patches.” (Computerworld/July 14, 2003)
•The manual process of patching thousands of workstations and servers in an environment is “nearly impossible”. (Computerworld/July 14, 2003)
•“Gartner estimates that IT managers now spend up to two hours every day managing patches.” (Computerworld/July 14, 2003)
Patch Assessment-ConsiderationsPatch Assessment-Considerations
•Audit the patch process–Why is patch needed?
• Reboot required?• Unsigned driver?
•Conduct an in-depth assessment–CVE number–Affected product–Reason patch is missing–Bulletin ID & name
•Audit the patch process–Why is patch needed?
• Reboot required?• Unsigned driver?
•Conduct an in-depth assessment–CVE number–Affected product–Reason patch is missing–Bulletin ID & name
Patch Assessment, howPatch Assessment, how
A comprehensive meta document, called MSSECURE.XML, provides the intelligence used to analyze whether or not a patch is installed. It contains security bulletin name and title, detailed product specific security hotfixes, including:
–Files in each hotfix package with their file versions and checksums
–Registry keys that were applied by the hotfix installation package
– Information about which patches supersede other patches
–Related Microsoft Knowledge Base article numbers–Third party analysis of threats posed by a patch’s vulnerability
–Links to additional information from BugTraq, cross references to CVEs, and more
A comprehensive meta document, called MSSECURE.XML, provides the intelligence used to analyze whether or not a patch is installed. It contains security bulletin name and title, detailed product specific security hotfixes, including:
–Files in each hotfix package with their file versions and checksums
–Registry keys that were applied by the hotfix installation package
– Information about which patches supersede other patches
–Related Microsoft Knowledge Base article numbers–Third party analysis of threats posed by a patch’s vulnerability
–Links to additional information from BugTraq, cross references to CVEs, and more
Patch DeploymentPatch Deployment
Patch packaging
Wizard-based package creation
Decentralized, scalable patch distribution method
Packaged using standard technology
Patch Deployment Packaged UI
Centralized patch depolyment
Ad-hoc patch distribution
Test deploy
Patch packaging
Wizard-based package creation
Decentralized, scalable patch distribution method
Packaged using standard technology
Patch Deployment Packaged UI
Centralized patch depolyment
Ad-hoc patch distribution
Test deploy
Patch Package – Bat File CreationPatch Package – Bat File Creation
Example bat file created to install patches. Without BindView you would have to create this manually for every workstation and patch.
Solution considerationsSolution considerationsAgentless
Scalability
Scheduling
Baselining
Executive reporting/view
Detailed patch analysis
Comprehensive pre-patch auditing
Post patch verification auditing
Flexible/comprehensive patch selection (critical patches)
Flexible patch deployment (critical servers)
Office CD central source
Rollback capabilities
Common Patch Management Tools in Enterprise EnvironmentsCommon Patch Management Tools in Enterprise Environments
Microsoft Baseline Security Advisor (MBSA 1.0, 1.2)
Microsoft Software Update Service (SUS)
Microsoft Systems Management Server (SMS 2.0, 2003)
Active Directory Group Policies
Microsoft Baseline Security Advisor (MBSA 1.0, 1.2)
Microsoft Software Update Service (SUS)
Microsoft Systems Management Server (SMS 2.0, 2003)
Active Directory Group Policies
Microsoft Baseline Security Advisor (MBSA 1.0, 1.2)Microsoft Baseline Security Advisor (MBSA 1.0, 1.2)
Designed for small to medium businesses (less than 500 machines or 1500 users
No centralized management server or reporting services
No distributed agents for data collection
Does not distribute patches
When used with SMS, developers still have to manually create patch packages
Designed for small to medium businesses (less than 500 machines or 1500 users
No centralized management server or reporting services
No distributed agents for data collection
Does not distribute patches
When used with SMS, developers still have to manually create patch packages
Microsoft Software Update Service (SUS)Microsoft Software Update Service (SUS)
Corporate windowsupdate.com
Does not evaluate “back office” applications such as Exchange or IIS
No reporting, only basic log analysis
No distributed agents or distribution points
Corporate windowsupdate.com
Does not evaluate “back office” applications such as Exchange or IIS
No reporting, only basic log analysis
No distributed agents or distribution points
Microsoft Systems Management Server (SMS 3.0)Microsoft Systems Management Server (SMS 3.0)
Does not specifically target security
Software deployments (including patches) must be created manually
No easy way to report on only security patch deployments
Does not specifically target security
Software deployments (including patches) must be created manually
No easy way to report on only security patch deployments
Active Directory Group PoliciesActive Directory Group Policies
Not designed for patch deployment
Cannot report on software deployments
Targeted distribution points is cumbersome. You must use multiple GPOs which is not recommended
Cannot monitor software pushes
Not designed for patch deployment
Cannot report on software deployments
Targeted distribution points is cumbersome. You must use multiple GPOs which is not recommended
Cannot monitor software pushes
Q&AQ&A
