Vulnerability and Patch Management

1
Vulnerability and Patch Management

• Dr. Thomas Moore, Ph.D.
• EMBA, BCSA, BCSP, CISSP, CISM, LCNAD

2
Vulnerability Management

• What, why, how

3
What is Vulnerability Management?

• The ability to assess and secure multi-platform
  environments.
• Protection from internal vulnerabilities such as
• Machines that do not have the latest hot fixes or
  service packs loaded
• People who have inappropriate rights to files and
  directories
• Users who have no passwords or easily guessed
  passwords
• Accounts that have not been disabled once an
  employee is no longer with the company
• Employees who are going against corporate
  policies and who are sending emails with
  inappropriate content
• Protection from external vulnerabilities such as
• Unknown/unsecured IP devices
• Open ports
• Easily guessed passwords

4
What is Vulnerability Management?

• Combination of management and security tools into
  one product. Examples of Management tools
• Automated documentation for disaster recovery
• Disk space analysis
• Content scanning (MS Exchange)
• Mailbox moves (MS Exchange)
• Change impact analysis (MS SQL)
• The ability to audit and document your improved
  security.
• Requisite in banking/healthcare/government or any
  highly regulated industry
• Staff augmentation (cost savings)

5
Why Vulnerability Management

• According to GartnerSecurity continues to be
  one of the top three issues for CIOs.
• Windows, IIS and SQL Server are the three key
  areas prone to attack.
• 2004 was the first time that the security budget
  for the average enterprise constituted more than
  5 of the overall IT budget showing up on the
  CIOs pie chart

6
Why Vulnerability Management

• Also according to Gartner, some ways to quantify
  what you do are
• What percentage of known attacks is the
  organization vulnerable to?
• When was that percentage calculated?
• What percentage of company software, people and
  supplies have been reviewed for security issues?
• What percentage of downtime is the result of
  security problems?
• What percentage of nodes in the network are
  managed by IT?

7
CIO Magazine/PWC survey,15OCT04

• The top three security-related organizational
  priorities for 2004 were
• Raise end user awareness of policy procedures
  55
• Train staff 41
• Develop security policies and standards 35

This same survey stated that 80 of North
American companies used liability as a
justification for security investments.

• Also in the study, security investments are
  justified due to
• Liability/exposure 69
• Regulatory requirements 53
• Revenue impact 40

8
Vulnerability Management More Insight

• According to a Summer 2003 InfoPro Study, the top
  operational problems or pain points that are
  driving spending are Audit/compliance related
  41 Technology related 40 Standards
  related 16

The numbers are staggering 82,094 new
vulnerabilities discovered in software and
hardware last year. That's up 64 percent from
2001. And in the first quarter of this year
alone, the number was 76,404. The volume of flaws
found has been rising at an alarming rate for as
long as people have kept statistics. --eWeek,
Aug. 11, 2003
9
VM Trends
Windows and .NET Magazine (May) 2002 vs. 2003
Study Results

• Manage infrastructure still 1!
• OS upgrades and security (equal)

Which of the following would you say is your
company's highest priority technology initiative
for IT in the next year?
Hardware upgrades not asked in 2002.
10
Why implement a VM solution?

• Multiple threats across a complex IT
  infrastructure
• Multiple IT Managers are accountable for specific
  pieces of the infrastructure, but not all
• Native tools do not provide enterprise-level,
  consolidated assessment and audit
• A breach in any one area can affect the entire
  infrastructure
• Organizations must comply with some mandated
  standards and practices across the enterprise
• Time and efficiencies gained

11
Quick Quiz

• 1. How many machines does it take to make a
  network completely vulnerable?
• 2. Name three ways a network may be vulnerable?

12
Risk Management Lifecycle
Repeat
Define Rules
Certify/Verify
Publish
Remediate
Audit/Analyze
Assign
Notify
13
Benefits of Lifecycle

• Increase audit coverage and frequency
• Look at ALL your servers and workstations,ALL
  the time
• Provide policies to measure against
• Achieve constant state of audit

More Coverage Complete Policies Less Risk
14
Automating the Lifecycle

• What percentage of your machines do you audit
  regularly today?
• For best security, how many should you audit?
• How often do you complete your audit cycle?
• Only an automated solution can
• Audit 100 of machines
• Increase your audit frequency
• Decrease the time to remediate
• Reduce risks AND reduce costs at the same time

15
Sustainability

• Is this more work than you are doing today?
• YES!! And it will continue to grow
• Start Now!
• With all the other things that are going on, how
  can I not only create but maintain a secure
  environment.
• Create Policies
• Automate Assessment with software tools (VM)
• Remediate (VM)
• Evaluate (VM)
• Start Over! (VM using scheduling)

16
Any pitfalls?

• Technical
• Depth of reporting (granularity, ad-hoc VS
  predefined)
• Closed loop problem identification and
  Remediation
• Scalability
• Agents and their associated maintenance
• parallel processing
• Lack of centralized management (combination of
  security, auditing and management tools bundled
  into product)

17
Other benefits

• Business reasons
• 30-70 reduction in business losses due to
  downtime
• 20-70 reduction in lost opportunity costs
• 20-50 reduction in mediation, recovery time and
  associated costs
• 10-30 reduction in lost productivity of non-IT
  personnel
• 1-2 legal exposure and costs
• 10-30 deployment and maintenance

18
Testimonials

• (VM) solutions reduced our business loss and
  downtime when NIMDA hit. put out the 1.1
  million hits that we took. That was huge.
  Large mid-west financial organization
• vulnerability management solution, we realized
  more than 1,000,000 in ROI. Florida Hospital

19
New trends

• Non-credentialed scans
• Benefits
• Cross-platform
• Doesnt require administrative rights to scan
  device
• Keep up with the latest vulnerabilities
• O/S Fingerprinting with version identification
• Identify every IP device on the network

Total Devices Managed Unmanaged
Rogue Machines
20
Platform Coverage

• Operating Systems
• bv-Control for Windows, Active Directory and Web
  Services
• bv-Control for NetWare and bv-Control for NDS
  eDirectory
• bv-Control for Unix
• bv-Control for OS/400
• Applications
• bv-Control for Microsoft Exchange
• bv-Control for Microsoft SQL Server
• bv-Control for Oracle
• bv-Control for CheckPoint Firewall-1
• bv-Control for SAP
• Other
• RMS Console
• bv-Control for Internet Security

21
Patch Management
22
What is a patch?

• A patch, or Hot Fix, is an updated file or set of
  files (exe, dll, sys, etc) that fixes a software
  flaw
• Two types of patches
• Security patchesPatches that address known
  security vulnerabilities
• Non-security patches Patches that improve
  performance or fix functional problems
• Service Packs
• Contains all previously released security and
  non-security patches (rollups)
• Contains new patches also

23
Race Against Time Companies have less time to
patch software flaws before Internet worms hit
their computer systems.
24
What is patch management?

• The process, through which companies
• determine which patches are missing from their
  environment
• deploy those patches to end user machines
• verify patches were successfully deployed

Automation is a key element of the patch
management process. Computerworld July
2003 The number of patches released makes it
almost imperative to employ automated solutions
Gartner
25
Two Key Components

• An analysis to determine whether or not a target
  machine is patched
• The distribution of a patch to a target machine

Assessment
Packaging Deployment
26
Deployment Options
Patch Assessment
27
Patches for OS Platforms
Companies have to manually create and keep up to
date a spreadsheet illustrating which patch goes
for which operating system!
28
Check in with the experts

• The manual process of patching thousands of
  workstations and servers in an environment is
  nearly impossible. (Computerworld/July 14,
  2003)
• Gartner estimates that IT managers now spend up
  to two hours every day managing patches.
  (Computerworld/July 14, 2003)

29
Patch Assessment-Considerations

• Audit the patch process
• Why is patch needed?
• Reboot required?
• Unsigned driver?
• Conduct an in-depth assessment
• CVE number
• Affected product
• Reason patch is missing
• Bulletin ID name

30
Patch Assessment, how

• A comprehensive meta document, called
  MSSECURE.XML, provides the intelligence used to
  analyze whether or not a patch is installed. It
  contains security bulletin name and title,
  detailed product specific security hotfixes,
  including
• Files in each hotfix package with their file
  versions and checksums
• Registry keys that were applied by the hotfix
  installation package
• Information about which patches supersede other
  patches
• Related Microsoft Knowledge Base article numbers
• Third party analysis of threats posed by a
  patchs vulnerability
• Links to additional information from BugTraq,
  cross references to CVEs, and more

31
Patch Deployment

• Patch packaging
• Wizard-based package creation
• Decentralized, scalable patch distribution
  method
• Packaged using standard technology
• Patch Deployment Packaged UI
• Centralized patch depolyment
• Ad-hoc patch distribution
• Test deploy

32
Patch Package Bat File Creation
Example bat file created to install patches.
Without BindView you would have to create this
manually for every workstation and patch.
33
Solution considerations
Agentless Scalability Scheduling Baselining Execut
ive reporting/view Detailed patch
analysis Comprehensive pre-patch auditing Post
patch verification auditing Flexible/comprehensive
patch selection (critical patches) Flexible
patch deployment (critical servers) Office CD
central source Rollback capabilities
34
Common Patch Management Tools in Enterprise
Environments

• Microsoft Baseline Security Advisor (MBSA 1.0,
  1.2)
• Microsoft Software Update Service (SUS)
• Microsoft Systems Management Server (SMS 2.0,
  2003)
• Active Directory Group Policies

35
Microsoft Baseline Security Advisor (MBSA 1.0,
1.2)

• Designed for small to medium businesses (less
  than 500 machines or 1500 users
• No centralized management server or reporting
  services
• No distributed agents for data collection
• Does not distribute patches
• When used with SMS, developers still have to
  manually create patch packages

36
Microsoft Software Update Service (SUS)

• Corporate windowsupdate.com
• Does not evaluate back office applications such
  as Exchange or IIS
• No reporting, only basic log analysis
• No distributed agents or distribution points

37
Microsoft Systems Management Server (SMS 3.0)

• Does not specifically target security
• Software deployments (including patches) must be
  created manually
• No easy way to report on only security patch
  deployments

38
Active Directory Group Policies

• Not designed for patch deployment
• Cannot report on software deployments
• Targeted distribution points is cumbersome. You
  must use multiple GPOs which is not recommended
• Cannot monitor software pushes

39
QA