Patch management: increasingly a facet of effective risk management - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Patch management: increasingly a facet of effective risk management

Description:

Title: Slide 1 Author: Craig Peel Last modified by: John Colley Created Date: 6/10/2005 10:05:19 AM Document presentation format: On-screen Show (4:3) – PowerPoint PPT presentation

Number of Views:259
Avg rating:3.0/5.0
Slides: 20
Provided by: CraigP151
Category:

less

Transcript and Presenter's Notes

Title: Patch management: increasingly a facet of effective risk management


1
Patch managementincreasingly a facet of
effective risk management
  • Marcus alldrickSecurelondon conference, 28 jUly
    2009

2
  • IF the attacker has a greater understanding of
    its target then it has the advantage

3
  • Criminal attackers are now driven by monetization
    cost and profitability

4
  • Patching and other protective measures increases
    attackers monetization cost and reduces their
    profitability

5
Trends
  • Continued rapid evolution of attack strategies /
    sophistication
  • Web applications increasingly vulnerable and
    targeted
  • Decrease in mass mailing viruses and worms
  • Trojans increasing, notably in data stealing
    malware
  • 2007 52, 2008 87, Q109 93 Source
    TrendLabs, 2009
  • Multiple threat vectors employed, e.g. PDFs,
    Flash multimedia, Java
  • Motivation predominantly illicit economic gain
  • More financial investment in vulnerability
    exploitation due to ROI
  • Intellectual property emerging as the target
  • Zero day vulnerabilities increasing
  • Difficult education messages to business and
    customers, persist

6
Trends cont.
  • 5,491 vulnerabilities in 2008, 19 increase on
    2007
  • High severity vulnerabilities decreased from 4
    to 2 in 2008
  • Medium vulnerabilities increased from 61 to 67
    in 2008
  • 80 of vulnerabilities classified as easily
    exploitable (74 in 2007)
  • 63 of vulnerabilities affected Web applications
    (59 in 2007)
  • Mozilla browsers 99 vulnerabilities
  • Internet Explorer 47
  • Apple Safari 40
  • Opera 35
  • Google Chrome 11
  • XSS, SQL injection and file include
    vulnerabilities predominate
  • 95 of attacked vulnerabilities were client-side,
    5 server-side
  • Source Symantec Global
    Internet Security Threat Report, 2009

7
Top exploitation Conficker
The Guardian
www.bbc.co.uk/news
Microsoft offers 250,000 bounty for authors of
the Conficker worm
SC Magazine
"The days of people doing this because they're
bored are mostly over. We would expect that the
person who controls this thing will try to
auction off parts of the network that they have
created." Thomas Cross IBM ISS
8
Top 10 Vendors with the most vulnerability
disclosures
Ranking Vendor Disclosures
1 Microsoft 3.16
2 Apple 3.04
3 Sun 2.19
4 Joomla! 2.07
5 IBM 2.00
6 Oracle 1.65
7 Mozilla 1.43
8 Drupal 1.42
9 Cisco 1.23
10 TYPO3 1.23
Source X-Force 2008 Trend Risk Report, IBM,
2009
9
Top 10 operating systems with the most
vulnerabilities reported
Ranking Vendor Disclosures
1 Apple Mac OS X Server 14.3
1 Apple Mac OS X 14.3
3 Linux Kernel 10.9
4 Sun Solaris 7.3
5 Microsoft Windows XP 5.5
6 Microsoft Windows 2003 Server 5.2
7 Microsoft Windows Vista 5.1
8 Microsoft Windows 2000 4.8
9 Microsoft Windows 2008 4.1
10 IBM AIX 3.7
Source X-Force 2008 Trend Risk Report, IBM,
2009
10
Recent surveys
  • Technology is one of the highest priorities for
    companies yet many companies do not know what
    risks they now face
  • 47 of surveyed European companies use
    vulnerability scanning tools

  • Source The
    Global State of Information Security Survey, 2008
  • 65 of respondents conduct vulnerability scanning
    at least annually
  • Both emerging technology and increasing
    sophistication of threats seen as less of a
    barrier last year compared to 2007
  • 70 saw inadequate Patch Management as a
    medium/high issue
  • Virus worm attacks, email attacks and
    phishing/pharming dominate
  • Source Protecting what matters, The
    6th Annual Global Security Survey, Deloitte, 2009
  • Economic distress will exacerbate the situation
  • Security seen as a cost and therefore at risk of
    reduction
  • Increased opportunity and incentive for attackers

11
Main consequences of exploitation
Consequence Description
Bypass security Circumvention of security measures, e.g. firewall, proxy, IDS/IPS, anti-malware defences
Data manipulation Manipulation of data used/stored by host and used by service or application
Denial of Service Crash/disrupt a service or system to take down a network
File manipulation Create, delete, modify, overwrite or read files
Gain access Obtain local/remote access including execution of code/commands
Gain privileges Obtain local privileges
Obtain information Obtain file and path names, source code, passwords, configuration details, etc.
12
Reactive remediation
  • Malware infection and system failure remain the
    incident types that require most staff time to
    fix
  • 7 of infections took 11-50 man days to recover
  • 1 of infections took gt100 man days

Source Information Security Breaches Survey
2008, BERR
13
Constraints
  • Patch overload
  • Different builds
  • Complexity of patches
  • Device connectivity
  • Resource constraints
  • Testing timescales
  • Testing infrastructure
  • Application dependency
  • Lack of / inadequate asset inventories
  • Lack of / inadequate configuration management
  • Scheduling / downtime / business impact

14
Patch Management process
IdentifyPatch Vuln.
Assessrisk of Vuln.
Perform Impactanalysis
TestPatch
PilotPatch
Roll-outPatch
Patchrest ofdevices
Reviewand Report
15
Vulnerability Management
  • Security alerts proactive
  • Patch management - preventative
  • Security incidents reactive / curative
  • Vulnerability assessment indicative monitoring

Vulnerability Management
Security AlertManagement
PatchManagement
IncidentManagement
Vulnerability Assessment
16
ITIL V3 Process Summary
Service Strategy
Business Requirements
IT Policies Strategies
Service Design
Service Operation
Service Level Mgmt
Event Management
Patch Management
Incident Management
Availability Mgmt
Problem Management
Info Security Mgmt
Service Transition
Change Management
Asset Config Mgmt
17
Key considerations
  • Mandate through agreed Patch Management strategy
    and policy
  • Senior Management buy-in and support essential
  • Conflicts between patching and business
    operations must be resolved
  • Schedule patch activity as BAU but allow for
    emergencies
  • Prioritise patches based on risk to organisation
  • Implement standard builds
  • Reduce local admin privileges
  • Maintain asset inventories / configuration
    management
  • Consider application whitelisting
  • Formulate integrated process and automate
    wherever possible
  • Allocate adequate resource, both management and
    line

18
To summarise..
  • Patch management is increasingly business
    critical given reliance on technology
    infrastructure
  • Should be proactive and preventative, not
    reactive and curative
  • Business impact reduction from a risk perspective
    should be key driver
  • Key is understanding the motivation, opportunity
    and risk to the attacker
  • Should be viewed as part of a bigger picture, an
    integrated process
  • Supported by defence in depth strategies
  • Automated tools are essential but so are the
    right people
  • Knowledge is power know your vulnerabilities and
    where they are
  • End user estates increasingly as important as
    server estates
  • Flexibility and agility is crucial

19
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com