Patch and Vulnerability Management Program



Similar documents
AHS Flaw Remediation Standard

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

THE TOP 4 CONTROLS.

Information and Communication Technology. Patch Management Policy

Goals. Understanding security testing

Standard CIP Cyber Security Systems Security Management

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Patch Management Policy

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Standard CIP 007 3a Cyber Security Systems Security Management

Critical Controls for Cyber Security.

THE BLUENOSE SECURITY FRAMEWORK

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Notable Changes to NERC Reliability Standard CIP-010-3

California Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

External Supplier Control Requirements

ABB s approach concerning IS Security for Automation Systems

SANS Top 20 Critical Controls for Effective Cyber Defense

Patch Management. Module VMware Inc. All rights reserved

Critical Security Controls

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Novell. ZENworks Patch Management Design, Deployment and Best Practices. Allen McCurdy Sr. Technical Specialist

Data Management Policies. Sage ERP Online

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

Security aspects of e-tailing. Chapter 7

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

GE Measurement & Control. Cyber Security for NEI 08-09

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

The Protection Mission a constant endeavor

PGP Desktop Version 10.2 for Mac OS X Maintenance Pack Release Notes

Introduction. PCI DSS Overview

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

GFI White Paper PCI-DSS compliance and GFI Software products

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Virtual Private Networks (VPN) Connectivity and Management Policy

Larry Wilson Version 1.0 November, University Cyber-security Program Controls Book

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

Software Asset Management (SWAM) Capability Description

AHS Vulnerability Scanning Standard

Medical Device Security Health Group Digital Output

Guide to Vulnerability Management for Small Companies

Hardware and Asset Management Program

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Ovation Security Center Data Sheet

Information Technology Solutions

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Ovation Security Center Data Sheet

Getting Ahead of Malware

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Looking at the SANS 20 Critical Security Controls

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Management (CSM) Capability

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Building a Penetration Testing Virtual Computer Laboratory

Obtaining Enterprise Cybersituational

CDM Software Asset Management (SWAM) Capability

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

State of South Carolina Policy Guidance and Training

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

How To Manage A System Vulnerability Management Program

Top 20 Critical Security Controls

Aqua Connect Load Balancer User Manual (Mac)

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Designing a security policy to protect your automation solution

Endpoint Security Management

Verve Security Center

BeyondInsight Version 5.6 New and Updated Features

Remote Deposit Terms of Use and Procedures

Vulnerability management lifecycle: defining vulnerability management

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

NERC CIP VERSION 5 COMPLIANCE

A Decision Maker s Guide to Securing an IT Infrastructure

WhatsUp Gold vs. Orion

Microsoft Windows Intune: Cloud-based solution

Monthly Fee Per Server 75/month 295/month 395/month Monthly Fee Per Desktop/Notebook/ 15/month 45/month 55/month

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

LANDESK SOLUTION BRIEF. Patch Management

Transcription:

Patch and Vulnerability Management Program

What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent dealing with vulnerabilities and exploitation of vulnerabilities Proactive management of vulnerabilities of systems will reduce or eliminate the potential for exploitation Will involve considerably less time and effort than responding after an exploitation has occurred Critical challenge : timely patching

Organization Actions Organizations should: Create a patch and vulnerability group (PVG) to facilitate the identification and distribution of patches within the organization Use automated patch management tools to expedite the distribution of patches to systems Deploy enterprise patch management tools using a phased approach Assess and mitigate the risks associated with deploying enterprise patch management tools Consider using standardized configurations for IT resources Consistently measure the effectiveness of their patch and vulnerability management program and apply corrective actions as necessary

Patch Vulnerability Management Group Actions Key functions Creating a system inventory Monitor for vulnerabilities, remediations and threats Create an organization-specific remediation database Conduct generic testing of remediations Perform automated deployment of patches Verify vulnerability remediation through network and host vulnerability scanning

Creating Inventory Key problem: granularity too little or too much? No separate inventory (inventories used during asset management or BCP can be used) Sample inventory can keep details of System name, owner, system administrator, location, network port Software configuration [OS version number, software packages and version numbers, network services, IP address] Hardware configuration [CPU, memory, disk space, ethernet address, wireless capability, I/O, firmware versions]

Monitoring Vulnerabilities Enterprise patch management tool, to obtain all available patches from supported vendors Vendor security mailing lists and Web sites, to obtain all available patches from vendors not supported by the enterprise patch management tool Vulnerability database or mailing list to obtain immediate information on all known vulnerabilities and suggested remediations Third-party vulnerability mailing lists that highlight the most critical vulnerabilities (e.g., CERT Cyber Security Alerts)

Testing Remediations The downloaded patch should be checked against any of the authenticity methods the vendor provides, including checksums, Pretty Good Privacy (PGP) signatures, and digital certificates A virus scan should also be run on all patches before installation Patches and configuration modifications should be tested on nonproduction systems since remediation can easily produce unintended consequences Determine whether other patches are uninstalled when a particular patch is installed Test a selection of systems that accurately represent the configuration of the systems in deployment, since many possible system configurations exist that the vendor cannot possibly test all of them Before performing the remediation, and especially if there is a lack of time or resources to perform a test on the patch before employing it on a production system, learn what experiences others have had in installing or using the patch

Verifying Remediation Verify that the files or configuration settings the remediation was intended to correct have been changed as stated in the vendor s documentation Scan the host with a vulnerability scanner that is capable of detecting known vulnerabilities Verify whether the recommended patches were installed properly by reviewing patch logs Employ exploit procedures or code and attempt to exploit the vulnerability (i.e., perform a penetration test)

Enterprise Patching Solutions A central computer manages the patching across all the machines. Non-agent based : A single computer scans all computers with administrative privileges Agent based : An agent is installed on each computer. Agent does the following: Agent either polls a central computer for patches or viceversa is done Agent receives instructions from the central computer on which patches to install and how to install them

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information