Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada



Similar documents
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

CDM Vulnerability Management (VUL) Capability

Penetration Testing Report Client: Business Solutions June 15 th 2015

Protecting Your Organisation from Targeted Cyber Intrusion

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Vulnerability Management

Security Patch Management

Software Vulnerability Assessment

Basics of Internet Security

Extreme Networks Security Analytics G2 Vulnerability Manager

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

IBM Security QRadar Vulnerability Manager

Global Partner Management Notice

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

SUPPLIER SECURITY STANDARD

External Supplier Control Requirements

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

IT Risk Management: Guide to Software Risk Assessments and Audits

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Data Management Policies. Sage ERP Online

Cyber Essentials Scheme

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Securing OS Legacy Systems Alexander Rau

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Additional Security Considerations and Controls for Virtual Private Networks

Payment Card Industry (PCI) Data Security Standard

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Specific recommendations

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ABB s approach concerning IS Security for Automation Systems

McAfee Vulnerability Manager 7.0.2

NETWORK PENETRATION TESTING

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

How To Manage Security On A Networked Computer System

1 Introduction Product Description Strengths and Challenges Copyright... 5

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI DSS Reporting WHITEPAPER

Application Intrusion Detection

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

NCUA LETTER TO CREDIT UNIONS

SANS Institute First Five Quick Wins

End-user Security Analytics Strengthens Protection with ArcSight

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Capital District Vulnerability Assessment

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Managing IT Security with Penetration Testing

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Effective Software Security Management

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Policy Title: HIPAA Security Awareness and Training

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Management (CSM) Capability

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Implementing Security Update Management

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Taxonomic Modeling of Security Threats in Software Defined Networking

Malicious Mitigation Strategy Guide

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

UF IT Risk Assessment Standard

Critical Security Controls

A Decision Maker s Guide to Securing an IT Infrastructure

Common Cyber Threats. Common cyber threats include:

Virtual Patching: a Proven Cost Savings Strategy

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

Enterprise Software Management Systems by Using Security Metrics

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

V ISA SECURITY ALERT 13 November 2015

Transcription:

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada ITSB-96 Last Updated: March 2015 1 Introduction Patching operating systems and applications is one of the Top 10 Security Actions in CSE s Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information (ITSB-89 Version 3). Implementing the Top 10 security actions as a package would prevent the vast majority of intrusions to which CSE currently responds. Applying patches to operating systems, applications and devices is a critical activity in ensuring the security of systems. This document provides guidance on assessing known vulnerabilities and patches in order to determine the risk posed to an organization, the relative priority for patch deployment, as well as guidelines on how to deploy patches. 2 Why Patch? Software suppliers discover and disclose vulnerabilities in their software, then release new patches to address these problems. Unfortunately, these disclosures also notify adversaries of the present vulnerabilities. Many organizations do not install patches as soon as they are released. As a result, adversaries are able to analyze and determine how to exploit network weaknesses for as long as they exist until an organization deploys the relevant patch. Patching quickly is essential, as the likelihood of publicly available exploits increases significantly after patches are released. Adversaries have been known to reverse engineer patches in as little as a few hours. 3 Assessing Security Vulnerabilities and Patches Staff can use various information sources to assess the risk of a vulnerability and the associated patch in the context of their IT environment. One of the primary information sources is the vendor s notification of the patch. 1/5

The vulnerability and patch information published by the vendor will typically include: a list of products and versions affected; technical details on the vulnerability including an overview of how exploitation occurs; typical consequences of exploitation (e.g., code execution, information disclosure, denial of service, etc.); current exploitation status (i.e., whether the vulnerability is already being exploited); the existence and details of any temporary workarounds; and an overall measure of severity based on the above factors. Each vendor uses a different means of communicating the severity of a vulnerability. The severity may be derived from a standard such as the Common Vulnerability Scoring System (CVSS) or based on a vendor-defined categorization such as Critical or Important. Regardless of the system the vendor uses, these severity ratings can allow IT staff to quickly conduct an initial assessment the potential exploitation of the vulnerability in their environment. In addition to individual vulnerability/patch details, some vendors publish a consolidated bulletin that also contains the vendor s recommended deployment instructions. 4 Vulnerability-Patch Risk Assessment Once departmental staff have analyzed the relevant vulnerability/patch information, a risk assessment can be completed. A risk assessment allows a department to properly assess the severity of a vulnerability/patch in the context of its environment. When conducting the risk assessment, it is important to consider the following factors: the impact on high-value or high-exposure assets increased risk; the impact on assets historically attacked increased risk; the mitigating controls already in place, or soon to be in place, for all affected assets decreased risk; and low risk of exposure for impacted assets decreased risk. Examples of vulnerability/patch risk assessments are: Extreme risk vulnerability allows remote code execution; critical business system/information affected; 2/5

exploits exist and are in use; and system is connected to the Internet without having mitigating controls in place. High risk Medium risk Low risk vulnerability allows remote code execution; critical business system information affected; exploits exist and are in use; and the system is in a protected enclave with strong access controls. vulnerability allows an attacker to impersonate a legitimate user on a remote access solution; system is exposed to unauthenticated users; and system requires two-factor authentication and administrator-level remote login is disallowed. a vulnerability requires authenticated users to perform malicious actions, such as SQL injection; affected system contains non-sensitive, publicly-available information; and mitigating controls exist that make exploitation unlikely or very difficult. The following are some simplified examples of patch risk assessments: Department Vulnerability Security Actions in Place Patch Risk Assessment Department A None Extreme Department B Effective e-mail content filtering High Critical Microsoft Office remote code execution vulnerability Low privileged users Effective e-mail content filtering Department C Application whitelisting Low privileged users Medium 3/5

5 Patch Deployment Timeframes Once a patch is released by a vendor and has been assessed by departmental staff for applicability and severity, the patch should be deployed in a timeframe commensurate with the consequence of the vulnerability s exploitation. Focusing efforts on the most significant issues first, ensures that IT resources are used in an effective and efficient manner. The following are CSE s recommended deployment timeframes for the assessed vulnerability/patch risk ratings: Extreme within 48 hours; High within 2 weeks; Medium at the next major update or within three months; and Low at the next major update or within one year. 6 Patch Testing Departments must decide where the greater risk lies in deploying unpatched vulnerabilities that put the department at risk of compromise, or in deploying a patch that the department has not fully tested. Many vendors, including Microsoft, thoroughly test all patches prior to releasing them to the public. The testing is performed against a wide range of environments, applications and conditions. Departments might start by deploying patches to a test group including employees from all business units across the department (e.g., HR, Finance, Operations, etc.). If faults are not reported within 48 hours, the patch could be rolled out across the remainder of the department. Further, departments might consider deploying systems to better automate patch testing within their environments. 7 How to Patch Patching can be implemented using a patch-management system. These systems facilitate the receipt, testing and installation of patches to protect the operating environment. Some common practices to follow include: Before installing a new patch, system administrators must read all of its relevant contextual information, which will provide details about the patch and what is needed to 4/5

install it. Additional external research on the patch may be required to determine, for example, if there are issues with installation; Once patches have been applied, they should be audited to measure the success rate and to ensure that they are effective; and It is beneficial to stay updated and informed about patch updates, network operating systems and application vendor updates. This will allow system administrators to know when new vulnerabilities are discovered, and to apply patches as soon as possible. 8 Temporary Workarounds Temporary workarounds can be the only effective protection if a patch is not yet available from the vendor. These workarounds may be published by the vendor in conjunction with or soon after the vulnerability is announced. Temporary fixes may include disabling the vulnerable functionality within the software or device, or restricting or blocking access to the vulnerable service using firewalls or other access controls. Like patching, the decision to implement or not to implement a temporary workaround is a riskbased decision. 9 Additional Information The full list of CSE s Top 10 IT Security Actions to Protect Government of Canada Internet- Connected Networks and Information as well as a range of supplementary advice can be found at www.cse-cst.gc.ca/en/group-groupe/its-advice-and-guidance. Microsoft s Security Update Guide outlines Microsoft s security update process and provides guidance on how IT staff can analyze vulnerability risk and deploy updates. 10 Contacts and Assistance ITS Client Services Telephone: (613) 991-7654 E-mail: itsclientservices@cse-cst.gc.ca Government of Canada, Communications Security Establishment, 2015 5/5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information