Vulnerability Identification & Patch Management Nate Howe Vice President of Risk Management Has this happened to you? “Fix all these issues by the end of the week…” 2 My Background • Performed IT audits and delivered many “Needs Improvement” reports. • Transitioned to security management and now I am the one being audited. • In the new job, I build processes to fix our known issues. • We were missing Microsoft patches labeled MS02-, MS03-, but unfortunately, it was 2007. 3 Vulnerability Scanning Techniques • Vulnerability scanning over the network • Agent-based scanner installed on each system • Non-authenticated versus authenticated scans All of these have the potential to produce large volumes of report data, but do we know which actions to take? 4 Vulnerability Scanning Limitations • Reports detail system health, but tell us little about our organization’s security processes. • Network segmentation or host-based firewalls may result in clean vulnerability scan results, despite improper system configurations. • A network vulnerability scan may tell us nothing about how the system will respond when an end user opens an infected Office document. 5 Vulnerability Root Causes • Big vulnerability reports detail the symptoms, but what are the root causes? – Do we have hardening standards for disabling unnecessary services? – Do we configure non-standard passwords? – Do we perform routine maintenance including patching? 6 Quick Poll Would you rather have a Windows computer that was fully patched but had no anti-malware utility… …or a Windows computer with no patches but had an antimalware utility with current definitions? 7 Quick Poll Would you rather have a Windows computer that was fully patched but had no anti-malware utility… …or a Windows computer with no patches but had an antimalware utility with current definitions? 8 SANS Top Vulnerabilities • Client-side Vulnerabilities in: – C1. Web Browsers – C2. Office Software – C3. Email Clients – C4. Media Players Security Policy and Personnel: H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media • Server-side Vulnerabilities in: – S1. Web Applications – S2. Windows Services – S3. Unix and Mac OS Services – S4. Backup Software – S5. Anti-virus Software – S6. Management Servers – S7. Database Software Application Abuse: A1. Instant Messaging A2. Peer-to-Peer Programs Network Devices: N1. VoIP Servers and Phones Zero Day Attacks: Z1. Zero Day Attacks 9 SANS Top Vulnerabilities • Client-side Vulnerabilities in: – C1. Web Browsers – C2. Office Software – C3. Email Clients – C4. Media Players Security Policy and Personnel: H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media • Server-side Vulnerabilities in: – S1. Web Applications – S2. Windows Services – S3. Unix and Mac OS Services – S4. Backup Software – S5. Anti-virus Software – S6. Management Servers – S7. Database Software Application Abuse: A1. Instant Messaging A2. Peer-to-Peer Programs Network Devices: N1. VoIP Servers and Phones Zero Day Attacks: Z1. Zero Day Attacks 10 Reactive, not Proactive • Lack of patch management leaves our systems at risk, plus we receive poor vulnerability scores. • Vulnerability scanners identify symptoms and we react by installing specific patches to resolve point-in-time issues. “Insanity is doing the same thing over and over again and expecting different results.” 11 The Better Option • Consider patching to be required preventive maintenance. • Would you drive a car and never change the oil? • I may be 500 miles late to get an oil change, but I don’t want to be 5,000 miles late. When does breakdown become inevitable? 12 Organization • Are we reacting to an auditor issue, or do we recognize our responsibility for patch management? • Who is accountable for patch management? • Who will double-check the work and produce vulnerability metrics? • Do we have an accurate IT asset inventory and have we agreed on what to patch? 13 What should we patch? • Anything with a communication jack (network or modem), until you can justify otherwise. • Do not forget the applications [and therefore the business users]. • Do not forget proprietary systems, appliances, Cisco IOS, physical security systems, ATMs, VoIP, firmware, printers & copiers, PDAs, and more. • Anti-malware definitions and engine updates are patches, too. 14 Process • • • • • • • • • • How quickly should patches be installed? Will we allow system Automatic Updates? How will we become aware of the latest patches? Do patches require change control approval? When are the maintenance windows? Do we have testing procedures and test users (both IT and business)? Have we identified vendor dependencies? Do we have a phased rollout and a fallback plan? Can end users delay or cancel a patch? Will we do manual installations or use automated tools? 15 Challenges • What if I disrupt an entire department or business process? • Do I know the system owners and will they approve patches? • When can I reboot these systems? • What if I ‘shoot myself in the foot’ on a remote system? • Will there be perceived performance issues when a system is powered on and patches start installing? • Will there be a WAN impact? • Am I harming the environment and wasting money if I keep systems powered on all night? 16 Unexpected Benefits • The latest worm makes mainstream news, but you are already patched and do not have a fire drill. • When vendors are troubleshooting, they often start with ‘I see you have not installed the latest version.’ • Support and training are easier when systems are consistent. 17 Conclusion • Traditional network perimeter controls are less relevant today because: – laptops enter hostile environments – attack vectors such as end user documents and web surfing • Preventive maintenance is our professional responsibility. • More sophisticated challenges need our attention once system maintenance processes are operating. • Hardening standards, new system certification, patching, and self-assessments make the audit experience easier. 18 Next Steps • Get valid data about your environment (inventory, discovery, scan reports). • Identify the problems and propose solutions. • Assign responsibility. • Create processes to test and install patches. • Educate your end users. • Measure at least monthly and track the progress, take credit for your successes and admit your mistakes. • Contact your industry colleagues and exchange ideas. • Try it manually before you buy tools. 19 Nate Howe natehowe@hotmail.com 20