Vulnerability Identification &
Patch Management
Nate Howe
Vice President of Risk Management
Has this happened to you?
“Fix all these issues by the end of the week…”
2
My Background
• Performed IT audits and delivered many “Needs
Improvement” reports.
• Transitioned to security management and now I am the
one being audited.
• In the new job, I build processes to fix our known issues.
• We were missing Microsoft patches labeled MS02-,
MS03-, but unfortunately, it was 2007.
3
Vulnerability Scanning Techniques
• Vulnerability scanning over the network
• Agent-based scanner installed on each system
• Non-authenticated versus authenticated scans
All of these have the potential to produce large volumes
of report data, but do we know which actions to take?
4
Vulnerability Scanning Limitations
• Reports detail system health, but tell us little about our
organization’s security processes.
• Network segmentation or host-based firewalls may result
in clean vulnerability scan results, despite improper
system configurations.
• A network vulnerability scan may tell us nothing about
how the system will respond when an end user opens an
infected Office document.
5
Vulnerability Root Causes
• Big vulnerability reports detail the symptoms, but what
are the root causes?
– Do we have hardening standards for disabling unnecessary
services?
– Do we configure non-standard passwords?
– Do we perform routine maintenance including patching?
6
Quick Poll
Would you rather have a Windows computer that was fully
patched but had no anti-malware utility…
…or a Windows computer with no patches but had an antimalware utility with current definitions?
7
Quick Poll
Would you rather have a Windows computer that was fully
patched but had no anti-malware utility…
…or a Windows computer with no patches but had an antimalware utility with current definitions?
8
SANS Top Vulnerabilities
• Client-side Vulnerabilities in:
– C1. Web Browsers
– C2. Office Software
– C3. Email Clients
– C4. Media Players
Security Policy and Personnel:
H1. Excessive User Rights and
Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and
Removable Media
• Server-side Vulnerabilities in:
– S1. Web Applications
– S2. Windows Services
– S3. Unix and Mac OS Services
– S4. Backup Software
– S5. Anti-virus Software
– S6. Management Servers
– S7. Database Software
Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs
Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks
9
SANS Top Vulnerabilities
• Client-side Vulnerabilities in:
– C1. Web Browsers
– C2. Office Software
– C3. Email Clients
– C4. Media Players
Security Policy and Personnel:
H1. Excessive User Rights and
Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and
Removable Media
• Server-side Vulnerabilities in:
– S1. Web Applications
– S2. Windows Services
– S3. Unix and Mac OS Services
– S4. Backup Software
– S5. Anti-virus Software
– S6. Management Servers
– S7. Database Software
Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs
Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks
10
Reactive, not Proactive
• Lack of patch management leaves our systems at risk,
plus we receive poor vulnerability scores.
• Vulnerability scanners identify symptoms and we react
by installing specific patches to resolve point-in-time
issues.
“Insanity is doing the same thing over and over again and
expecting different results.”
11
The Better Option
• Consider patching to be required preventive maintenance.
• Would you drive a car and never change the oil?
• I may be 500 miles late to get an oil change, but I don’t want
to be 5,000 miles late. When does breakdown become
inevitable?
12
Organization
• Are we reacting to an auditor issue, or do we recognize
our responsibility for patch management?
• Who is accountable for patch management?
• Who will double-check the work and produce
vulnerability metrics?
• Do we have an accurate IT asset inventory and have we
agreed on what to patch?
13
What should we patch?
• Anything with a communication jack (network or
modem), until you can justify otherwise.
• Do not forget the applications [and therefore the
business users].
• Do not forget proprietary systems, appliances, Cisco
IOS, physical security systems, ATMs, VoIP, firmware,
printers & copiers, PDAs, and more.
• Anti-malware definitions and engine updates are
patches, too.
14
Process
•
•
•
•
•
•
•
•
•
•
How quickly should patches be installed?
Will we allow system Automatic Updates?
How will we become aware of the latest patches?
Do patches require change control approval?
When are the maintenance windows?
Do we have testing procedures and test users (both IT
and business)?
Have we identified vendor dependencies?
Do we have a phased rollout and a fallback plan?
Can end users delay or cancel a patch?
Will we do manual installations or use automated tools?
15
Challenges
• What if I disrupt an entire department or business
process?
• Do I know the system owners and will they approve
patches?
• When can I reboot these systems?
• What if I ‘shoot myself in the foot’ on a remote system?
• Will there be perceived performance issues when a
system is powered on and patches start installing?
• Will there be a WAN impact?
• Am I harming the environment and wasting money if I
keep systems powered on all night?
16
Unexpected Benefits
• The latest worm makes mainstream news, but you are
already patched and do not have a fire drill.
• When vendors are troubleshooting, they often start with
‘I see you have not installed the latest version.’
• Support and training are easier when systems are
consistent.
17
Conclusion
• Traditional network perimeter controls are less relevant
today because:
– laptops enter hostile environments
– attack vectors such as end user documents and web surfing
• Preventive maintenance is our professional responsibility.
• More sophisticated challenges need our attention once
system maintenance processes are operating.
• Hardening standards, new system certification, patching,
and self-assessments make the audit experience easier.
18
Next Steps
• Get valid data about your environment (inventory,
discovery, scan reports).
• Identify the problems and propose solutions.
• Assign responsibility.
• Create processes to test and install patches.
• Educate your end users.
• Measure at least monthly and track the progress, take
credit for your successes and admit your mistakes.
• Contact your industry colleagues and exchange ideas.
• Try it manually before you buy tools.
19
Nate Howe
[email protected]
20