Marcus alldrick
Securelondon conference, 28 jUly 2009

© Lloyd’s 2 patch management SecureLondon 0709 v01

3 patch management SecureLondon 0709 v01 © Lloyd’s

© Lloyd’s 4 patch management SecureLondon 0709 v01

Trends










Continued rapid evolution of attack strategies / sophistication
Web applications increasingly vulnerable and targeted
Decrease in mass mailing viruses and worms
Trojans increasing, notably in data stealing malware

2007: 52%, 2008: 87%, Q109 93%
Source: TrendLabs, 2009
Multiple threat vectors employed, e.g. PDFs, Flash multimedia, Java
Motivation predominantly illicit economic gain
More financial investment in vulnerability exploitation due to ROI
Intellectual property emerging as the target
Zero day vulnerabilities increasing
5
Difficult education messages to business and customers, persist patch management SecureLondon 0709 v01 © Lloyd’s

Trends cont.







5,491 vulnerabilities in 2008, 19% increase on 2007
High severity vulnerabilities decreased from 4% to 2% in 2008
Medium vulnerabilities increased from 61% to 67% in 2008
80% of vulnerabilities classified as easily exploitable (74% in 2007)
63% of vulnerabilities affected Web applications (59% in 2007)

Mozilla browsers: 99 vulnerabilities

Internet Explorer: 47



Apple Safari:
Opera:
40
35
Google Chrome: 11
XSS, SQL injection and file include vulnerabilities predominate
6
95% of attacked vulnerabilities were client-side, 5% server-side
Source: Symantec Global Internet Security Threat Report, 2009 patch management SecureLondon 0709 v01 © Lloyd’s

Top exploitation: Conficker
SC Magazine www.bbc.co.uk/news
The Guardian
Microsoft offers $250,000 bounty for authors of the Conficker worm
SC Magazine
"The days of people doing this because they're bored are mostly over. We would expect that the person who controls this thing will try to auction off parts of the network that they have created."
Thomas Cross IBM ISS
DarkReading.com
7 patch management SecureLondon 0709 v01 © Lloyd’s

Top 10 Vendors with the most vulnerability disclosures
8
9
10
4
5
6
7
2
3
Ranking Vendor
1 Microsoft
Apple
Sun
Joomla!
IBM
Oracle
Mozilla
Drupal
Cisco
TYPO3
Disclosures
3.16%
3.04%
2.19%
2.07%
2.00%
1.65%
1.43%
1.42%
1.23%
1.23%
Source: X-Force 2008 Trend & Risk Report, IBM, 2009
© Lloyd’s 8 patch management SecureLondon 0709 v01

Top 10 operating systems with the most vulnerabilities reported
8
9
10
4
5
6
7
1
3
Ranking Vendor
1 Apple Mac OS X Server
Apple Mac OS X
Linux Kernel
Sun Solaris
Microsoft Windows XP
Microsoft Windows 2003 Server
Microsoft Windows Vista
Microsoft Windows 2000
Microsoft Windows 2008
IBM AIX
Disclosures
14.3%
14.3%
10.9%
7.3%
5.5%
5.2%
5.1%
4.8%
4.1%
3.7%
Source: X-Force 2008 Trend & Risk Report, IBM, 2009
© Lloyd’s 9 patch management SecureLondon 0709 v01

Recent surveys







Technology is one of the highest priorities for companies yet many companies do not know what risks they now face
47% of surveyed European companies use vulnerability scanning tools
Source: The Global State of Information Security Survey, 2008
65% of respondents conduct vulnerability scanning at least annually
Both emerging technology and increasing sophistication of threats seen as less of a barrier last year compared to 2007
~70% saw inadequate Patch Management as a medium/high issue
Virus & worm attacks, email attacks and phishing/pharming dominate
Source: Protecting what matters, The 6 th Annual Global Security Survey, Deloitte, 2009
Economic distress will exacerbate the situation

Security seen as a cost and therefore at risk of reduction

10
Increased opportunity and incentive for attackers patch management SecureLondon 0709 v01 © Lloyd’s

Main consequences of exploitation
Consequence
Bypass security
Data manipulation
Denial of Service
File manipulation
Gain access
Gain privileges
Obtain information
11 patch management SecureLondon 0709 v01
Description
Circumvention of security measures, e.g. firewall, proxy, IDS/IPS, anti-malware defences
Manipulation of data used/stored by host and used by service or application
Crash/disrupt a service or system to take down a network
Create, delete, modify, overwrite or read files
Obtain local/remote access including execution of code/commands
Obtain local privileges
Obtain file and path names, source code, passwords, configuration details, etc.
© Lloyd’s

Reactive remediation


Malware infection and system failure remain the incident types that require most staff time to fix
7% of infections took 11-50 man days to recover

1% of infections took >100 man days
12 patch management SecureLondon 0709 v01
Source: Information Security Breaches Survey 2008, BERR
© Lloyd’s

Constraints











Patch overload
Different builds
Complexity of patches
Device connectivity
Resource constraints
Testing timescales
Testing infrastructure
Application dependency
Lack of / inadequate asset inventories
Lack of / inadequate configuration management
Scheduling / downtime / business impact
13 patch management SecureLondon 0709 v01 © Lloyd’s

Patch Management process
Identify
Patch &
Vuln.
Assess risk of
Vuln.
Perform
Impact analysis
Test
Patch
Pilot
Patch
Roll-out
Patch
Review and
Report
Patch rest of devices
© Lloyd’s 14 patch management SecureLondon 0709 v01

Vulnerability Management
Vulnerability Management
Security Alert
Management
Patch
Management
Incident
Management
Vulnerability Assessment




Security alerts – proactive
Patch management - preventative
Security incidents – reactive / curative
Vulnerability assessment – indicative monitoring
15 patch management SecureLondon 0709 v01 © Lloyd’s

ITIL V3 Process Summary
Service Strategy
Business Requirements
IT Policies & Strategies
Service Operation
Event Management
Incident Management
Problem Management
Patch Management
Service Transition
Change Management
Asset & Config Mgmt patch management SecureLondon 0709 v01 16
Service Design
Service Level Mgmt
Availability Mgmt
Info Security Mgmt
© Lloyd’s

Key considerations











Mandate through agreed Patch Management strategy and policy
Senior Management buy-in and support essential
Conflicts between patching and business operations must be resolved
Schedule patch activity as BAU but allow for emergencies
Prioritise patches based on risk to organisation
Implement standard builds
Reduce local admin privileges
Maintain asset inventories / configuration management
Consider application whitelisting
Formulate integrated process and automate wherever possible
Allocate adequate resource, both management and line
17 patch management SecureLondon 0709 v01 © Lloyd’s

To summarise…..










Patch management is increasingly business critical given reliance on technology infrastructure
Should be proactive and preventative, not reactive and curative
Business impact reduction from a risk perspective should be key driver
Key is understanding the motivation, opportunity and risk to the attacker
Should be viewed as part of a bigger picture, an integrated process
Supported by defence in depth strategies
Automated tools are essential but so are the right people
Knowledge is power: know your vulnerabilities and where they are
End user estates increasingly as important as server estates
Flexibility and agility is crucial
© Lloyd’s 18 patch management SecureLondon 0709 v01

19 patch management SecureLondon 0709 v01 © Lloyd’s