Ctfo MANAGEMENT SECURITY PATCH. Felicia M. Nicastro. Second Edition. CRC Press. VC#*' J Taylor & Francis Group / Boca Raton London New York

Transcription

1 SECURITY PATCH MANAGEMENT Second Edition Felicia M. Nicastro Ctfo CRC Press VC#*' J Taylor & Francis Group / Boca Raton London New York CRC Press Is an imprint of the Taylor & Francis Croup, an Informa business AN AUERBACH BOOK

2 Contents Foreword About the Author xi xiii Chapter 1 Introduction 1 How to Use This Book 3 Background 7 Getting Started 8 Who Owns the Process? 9 People, Process, and Technology 13 Measuring Success 16 Next Steps 18 Types of Patches 19 Functionality Patches 20 Feature Patches 20 Security Patches 21 Product Vendor's Responsibility 22 Chapter 2 Vulnerability to Patch to Exploit 27 Who Exploits When, Why, and How 29 The Who 30 The When 31 The Why 33 The How 34 Tracking New Patch Releases 36 Resources for Information 37 Chapter 3 What to Patch 39 Desktops 40 V

3 VI CONTENTS Standard Build 42 User Awareness 43 Use of Tool 44 Remote Users 45 Laptops 47 Servers 48 Windows 50 UNIX and Linux 51 Network Devices 52 Chapter 4 Network and Systems Management: Information Technology Infrastructure Library 55 Network and Systems Management 56 Starting with Process 59 ITIL 60 Service Support 61 Service Desk 61 Incident Management 63 Problem Management 63 Configuration and Asset Management 64 Change Management 66 Release Management 67 Service Delivery 67 Service-Level Management 68 Financial Management for IT Services 69 Performance and Capacity Management 69 IT Service Continuity Management 70 Availability Management 70 ICT Infrastructure Management 70 Security Management 71 Assessing and Implementing IT Operations 71 Assessing the IT Operations Capabilities 72 Designing an IT Operations Solution 76 Implementing an IT Operations Solution 77 Putting the IT Operations Solution into Action 78 Outsourcing to a Service Provider 78 Chapter 5 Security Management 81 Overview 82 Security Operations 84 Preparing for Security Operations 86 Gather Requirements 86 Selecting the Tools 89 Establishing Security Operations 93 Methods of Implementation 94 Roles and Responsibilities 96 Implementing Security Operations 98

4 CONTENTS VII Incorporating Security into Operational Processes 100 Process Example 102 Next Steps 105 Chapter 6 Vulnerability Management 107 Definition of Vulnerability Management 108 Vulnerability Management Process 110 Monitor 111 Gather Data 112 Assess the Posture 113 Remediate 115 Rinse and Repeat 116 Establishing Vulnerability Management 117 Assess 118 Design 119 Implement 120 Review 121 Next Steps 121 Chapter 7 Tools 123 Process versus Tools 125 Where to Use Tnem 127 Asset Tracking 127 Patch Deployment 130 How to Determine Which One Is Best 131 Price 132 Leveraging Existing Software 133 Supported Operating Systems 134 Agent-Based versus Agentless Software Products 135 Tools Evaluated 137 Conducting Comparisons 140 Chapter 8 Testing 143 Common Issues with Testing 144 The Testing Process 145 Preinstall Activities 146 Patch Installation 148 Test Intended Purpose 149 Test Primary Uses 150 Test Secondary Uses 151 Testing Patch Back Out 152 Approving Deployment 153 Patch Ratings and How They Affect Testing 153 Prioritizing the Test Process 156 Externally Facing Hosts 158 Mission-Critical Hosts 159 Critical Users 159 Mobile Devices and Remote Users 160

5 VIII CONTENTS Clients of Critical Hosts 160 Standard User Systems 161 Internal Network Devices 162 Dynamic Prioritization 162 The Test Lab 163 Virtual Machines 165 Wrapping It Up 170 Chapter 9 Process Life Cycle 173 Roles and Responsibilities 175 Security Committee 177 Security Group 181 Operations Group 183 Network Operations Center 185 Analysis Phase of Patch Management 187 Monitoring and Discovery 187 Initial Assessment Phase 189 Impact Assessment Phase 191 Remediation Phase of Patch Management 193 Patch Course ofaction 194 Patch Security Advisory 197 Testing the Patch 201 "Critical" Vulnerabilities 202 Use of a Standard Build 203 Updating the Operational Environment 204 Distributing the Patch 205 Implementation of Patches 207 Time Frame ofdeployment 208 Exceptions to the Rule 210 Updating Remote Users 212 Tracking Patches 214 Patch Reporting 214 Chapter 10 Putting the Process in Place 217 Preparing Assessing for the Process 218 Current State 219 Determine Requirements 220 Performing the Gap Analysis 222 Designing the Process 223 Assessing Network Devices and Systems 224 Implementation Phase 226 Standard Build 227 Implement the Tool 229 Piloting the Process 231 Moving the Process into Production 233 Update Design Based on Implementation 235 Operating the Process 236 Integration into Existing Processes 237

6 CONTENTS IX Updating Standard Builds 239 Implementation of New Servers 239 Day-to-Day Tool Operations 240 Deployment of Patches 241 Maintain 242 Organizational Structure Changes 244 Operational Changes 244 Pu rchase of New or Additional Tool 245 Annual Basis 246 Patch Management Policy 246 Chapter 11 Conclusion 251 Challenges 253 Next Steps 257 Index 261