Effective Patch Management: How to make the pain go away. Adam Shostack adam@informedsecurity.com

Similar documents
How To Perform An External Security Vulnerability Assessment Of An External Computer System

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Copyright (2004) Purdue Research Foundation. All rights reserved.

Secure Software Programming and Vulnerability Analysis

A REVIEW OF METHODS FOR SECURING LINUX OPERATING SYSTEM

Deep Security Vulnerability Protection Summary

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Virtual Patching: a Proven Cost Savings Strategy

SAFECode Security Development Lifecycle (SDL)

DNS Security: New Threats, Immediate Responses, Long Term Outlook Infoblox Inc. All Rights Reserved.

Managed Service Plans

Security Vulnerability Management. Mark J Cox

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

HP Application Security Center

Virtualization System Security

System Management. Leif Nixon. a security perspective 1/37

Reducing Application Vulnerabilities by Security Engineering

Real World Considerations for Implementing Desktop Virtualization

Patching & Malicious Software Prevention CIP-007 R3 & R4

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

ZENworks Patch Management. Doc Hodges Opportunity Response Team Novell, Inc.

Virtual Patching: a Compelling Cost Savings Strategy

Intro to Patching. Thomas Cameron, Chief Architect, Western US, Red Hat twitter: thomasdcameron IRC: choirboy on Freenode

THE HACKERS NEXT TARGET

Vulnerability Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

OPEN SOURCE SECURITY

Software security specification and verification

Increase In Vulnerabilities Of Mobile Broadband Network Infrastructure

ManageEngine (division of ZOHO Corporation) Infrastructure Management Solution (IMS)

Information and Communication Technology. Patch Management Policy

CSE 265: System and Network Administration. CSE 265: System and Network Administration

SD Monthly Report Period : August 2013

Building a Modern Security Engineering Organization.

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Practice law, not IT. You can save costs while outsourcing to the US law firm technology experts!

Northwestern University Dell Kace Patch Management

1 Scope of Assessment

Lumension Guide to Patch Management Best Practices

Automated Patching. Paul Asadoorian IT Security Specialist Brown University

Taking a Proactive Approach to Linux Server Patch Management Linux server patching

A Review on Zero Day Attack Safety Using Different Scenarios

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

Getting the Benefits of Managed Services without the Expense and Disruption to your Business

Whitepaper: Cloud Computing for Credit Unions

TestOps: Continuous Integration when infrastructure is the product. Barry Jaspan Senior Architect, Acquia Inc.

W H I T E P A P E R L i n u x M a n a g e m e n t w i t h R e d H a t S a t e l l i t e : M e a s u r i n g B u s i n e s s I m p a c t a n d R O I

Keeping Up To Date with Windows Server Update Services. Bob McCoy, CISSP, MCSE Technical Account Manager Microsoft Corporation

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2004

".,!520%'$!#)!"#$%&!>#($!#)!

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Mark Bennett. Search and the Virtual Machine

The Definitive Guide. Monitoring the Data Center, Virtual Environments, and the Cloud. Don Jones

Network Virtualization Platform (NVP) Incident Reports

Timing the Application of Security Patches for Optimal Uptime

AN OVERVIEW OF VULNERABILITY SCANNERS

Oracle Security Auditing

Oracle Security Auditing

OSMOSIS. Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

HotZone. Theory of Operations Configuration Management

Patch Management. Module VMware Inc. All rights reserved

What is the Difference Between Dedicated and Managed Hosting Services?

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

5 Mistakes to Avoid on Your Drupal Website

Pragmatic Metrics for Building Security Dashboards

Discovering Mac OS X Weaknesses and Fixing Them with the New Bastille OS X Port

Survivability From a Sow s Ear: The Retrofit Security Requirement. 1 Introduction: the Survivability Imperative

Patch Management. Rich Bowen

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

The Defense RESTs: Automation and APIs for Improving Security

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Boost your VDI Confidence with Monitoring and Load Testing

Wind River Device Management Wind River

Top 10 Reasons to Automate your IT Run Books

WHITE PAPER Linux Management with Red Hat Network Satellite Server: Measuring Business Impact and ROI

Six Common Factors to Consider When selecting a CMS

Your Web and Applications

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

ArcGIS for Server in the Amazon Cloud. Michele Lundeen Esri

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Organizations that are standardizing today are enjoying lower management costs, better uptime. INTRODUCTION

Network Instruments white paper

Getting Things Done: Practical Web/e-Commerce Application Stress Testing

Vulnerability management lifecycle: defining vulnerability management

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Protecting Your Organisation from Targeted Cyber Intrusion

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Novel Systems. Extensible Networks

Put a Firewall in Your JVM Securing Java Applications!

Web Intrusion Detection with ModSecurity. Ivan Ristic

Building a Robust Web Application Security Plan

Application Intrusion Detection

Transcription:

Effective Patch Management: How to make the pain go away Adam Shostack adam@informedsecurity.com

Overview Why patch? Why is patching so painful? What can make it easier? Thinking about risk management How can we get out of the rat race?

Why Patch? Vendors issue patches to correct bugs Performance/Reliability Security is a subset of reliability End users apply patches to fix problems Preventative/Reaction models

Security Patches Vendors release code All code has bugs People find bugs Sometimes they tell the vendor Vendor triages, and may release a fix Some want to install it to forestall problems

Where we are Why patch? Why is patching so painful? What makes it easier? Thinking about risk management How can we get out of the rat race?

Why is patching painful? Patch notification Inventory & Roll-out Mobile Low bandwidth

Lies and Excuses! The problems of notification, inventory and roll-out, and mobile and low-bandwidth systems are roughly solved.

State of Software Tools Maturity Analyze Deploy Inventory Tivoli Unicenter ZenWorks (etc) Deployment

The Real Problems Patches are beta software Intense pressure to roll out beta software Poor data about patches Conflict between IT & IT Security Patches which can t roll back

Uptime vs. Security IT is rated on measured uptime Every admin knows patching can break things, require reboots Security is rated on break-ins Need to deploy patches to prevent Huge fights come from different priorities.

Where We Are Why patch? Why is patching so painful? What makes it easier? Thinking about risk management How can we get out of the rat race?

Reconciling The Views Patch risk falls with time Exploit risk grows with time Can we put numbers on them? Can we engage in a risk trade-off?

Timing the Application of Security Patches for Optimal Uptime

Timing the Application... Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA 2002) http://www.homeport.org/~adam/time-to-patch-usenix-lisa02.pdf (Don t copy down the URL: Google finds my homepage, that s bullet #7)

Where We Are Why patch? Why is patching so painful? What makes it easier? Thinking about risk management How can we get out of the rat race?

Risk Management You can do this at home! Easy math leads to useful results Cost to deploy, cost to fix problems (security or broken patch) Goal is to move away from argument and worry Consider Security Risk, Patch Risk, Business Impact

Security Issues Patch criticality Software Vendor CERT metrics (ADDED: CVSS) CNN Mitigating controls Firewalls Configurations

Patch Issues How big is the patch? How many issues does it fix? Can it be backed out? Does it require a reboot? Testing (internal, external, web & lists)

Business Issues What s the business function of the system? Is there an impending deadline? What s your MTTR? (Mean Time To Repair)

Making it concrete Know your cost to deploy a patch Know your cost of downtime Estimate the risk of attack

Some sample numbers 1,000 node network with manual patching by $100 techies, at 1 hour/node: $100,000 to deploy a patch So what do you do if: Attack that would cost you $1,000,000 Attack that would cost you $105,000 Attack that would cost you $25,000

The $105,000 question Expected 5% ROI on cash Didn t specify time Alternate activities? Cost of capital/roi?

Why patch? Why is patching so painful? What makes it easier? Thinking about risk management How can we get out of the rat race?

Better Patch Mgmt SW Research and risk data Workflow Testing support Risk Management support

More Managable Deployments Use security software (Okena, Immunix, Sana, etc) to stop classes of attack Use software to deploy and manage systems Work to increase MTBF, decrease MTTR

More Secure Software The core problem is that security is not a buying criteria Make it one Push your vendor to discuss and then improve their software processes: Design, Development, Testing, Deploy

Bug (and software) Development

How To Move? It s actually worse than that That s a graph for a single program You deploy lots of programs

How To Get There Better software tools Internal, external Better Deployment tools Security Operations

Where The Tools Fit

Static Checkers Work with source code Lots of different languages Results generally easier to fix They re associated with lines of code High false positive rates Find sins of commission like strcat() Fast

Dynamic Checkers Work on binary code Never wonder if the optimizer was too clever Find Sins of Omission like SQL injection Slow! (Can be hours or days)

Language Selection Some languages seem to be more prone to security flaws C, PHP We may not have found the classes of flaws in Java, C# New classes keep showing up (integer underflows, etc)

Adding Resilience to Code How to deploy operate Buggy code more securely

Free UNIX techniques chroot/jail Unprivileged daemon accounts Painful if you need fast code on port 80 Free security enhanced OSes: OpenBSD, SELinux

More advanced tools OS hardening tools Immunix subdomain Sana kernel enhancements Application hardening Stackguard & company (Recompile vs kernel modules)

Issues with Hardening Tools How to measure their effectiveness Configuration effort Costs (percieved and real) Cash up front Speed Supportability + Vendor finger pointing

Selling Your Boss Or, Security folks are from Mars, businesspeople are from Wheaton

How You Buy Software Functionality, supportability, price Can you get security in there? Probably requires being able to get lots of complexity into a 1-5 score (or somesuch) The above can be used for that

Sample Scoring 0-1 point for a good language 0-1 point for documented use of tools to check code 0-1 point for unprivileged, chroot install 0-1 point for logging 0-1 point for local analysis

Deployment Budgets Cash for wires, hubs, power, air Where does security fit? What s the real cost of a failure? (Hint, its not $1m, unless you re a large bank)

Deployment Business Cases Cost of operations with and without tool X Cost of special events: Patching Breakins Worms Frequency of special events

Summary We ll always have patches to deploy We can build rational decision processes We can use better tools We can push vendors to sell better SW

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information