Patch and Vulnerability Management Program

Transcription

1 Patch and Vulnerability Management Program

2 What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent dealing with vulnerabilities and exploitation of vulnerabilities Proactive management of vulnerabilities of systems will reduce or eliminate the potential for exploitation Will involve considerably less time and effort than responding after an exploitation has occurred Critical challenge : timely patching

3 Organization Actions Organizations should: Create a patch and vulnerability group (PVG) to facilitate the identification and distribution of patches within the organization Use automated patch management tools to expedite the distribution of patches to systems Deploy enterprise patch management tools using a phased approach Assess and mitigate the risks associated with deploying enterprise patch management tools Consider using standardized configurations for IT resources Consistently measure the effectiveness of their patch and vulnerability management program and apply corrective actions as necessary

4 Patch Vulnerability Management Group Actions Key functions Creating a system inventory Monitor for vulnerabilities, remediations and threats Create an organization-specific remediation database Conduct generic testing of remediations Perform automated deployment of patches Verify vulnerability remediation through network and host vulnerability scanning

5 Creating Inventory Key problem: granularity too little or too much? No separate inventory (inventories used during asset management or BCP can be used) Sample inventory can keep details of System name, owner, system administrator, location, network port Software configuration [OS version number, software packages and version numbers, network services, IP address] Hardware configuration [CPU, memory, disk space, ethernet address, wireless capability, I/O, firmware versions]

6 Monitoring Vulnerabilities Enterprise patch management tool, to obtain all available patches from supported vendors Vendor security mailing lists and Web sites, to obtain all available patches from vendors not supported by the enterprise patch management tool Vulnerability database or mailing list to obtain immediate information on all known vulnerabilities and suggested remediations Third-party vulnerability mailing lists that highlight the most critical vulnerabilities (e.g., CERT Cyber Security Alerts)

7 Testing Remediations The downloaded patch should be checked against any of the authenticity methods the vendor provides, including checksums, Pretty Good Privacy (PGP) signatures, and digital certificates A virus scan should also be run on all patches before installation Patches and configuration modifications should be tested on nonproduction systems since remediation can easily produce unintended consequences Determine whether other patches are uninstalled when a particular patch is installed Test a selection of systems that accurately represent the configuration of the systems in deployment, since many possible system configurations exist that the vendor cannot possibly test all of them Before performing the remediation, and especially if there is a lack of time or resources to perform a test on the patch before employing it on a production system, learn what experiences others have had in installing or using the patch

8 Verifying Remediation Verify that the files or configuration settings the remediation was intended to correct have been changed as stated in the vendor s documentation Scan the host with a vulnerability scanner that is capable of detecting known vulnerabilities Verify whether the recommended patches were installed properly by reviewing patch logs Employ exploit procedures or code and attempt to exploit the vulnerability (i.e., perform a penetration test)

9 Enterprise Patching Solutions A central computer manages the patching across all the machines. Non-agent based : A single computer scans all computers with administrative privileges Agent based : An agent is installed on each computer. Agent does the following: Agent either polls a central computer for patches or viceversa is done Agent receives instructions from the central computer on which patches to install and how to install them