Patch management: increasingly a facet of effective risk management

1
Patch managementincreasingly a facet of
effective risk management

• Marcus alldrickSecurelondon conference, 28 jUly
  2009

2

• IF the attacker has a greater understanding of
  its target then it has the advantage

3

• Criminal attackers are now driven by monetization
  cost and profitability

4

• Patching and other protective measures increases
  attackers monetization cost and reduces their
  profitability

5
Trends

• Continued rapid evolution of attack strategies /
  sophistication
• Web applications increasingly vulnerable and
  targeted
• Decrease in mass mailing viruses and worms
• Trojans increasing, notably in data stealing
  malware
• 2007 52, 2008 87, Q109 93 Source
  TrendLabs, 2009
• Multiple threat vectors employed, e.g. PDFs,
  Flash multimedia, Java
• Motivation predominantly illicit economic gain
• More financial investment in vulnerability
  exploitation due to ROI
• Intellectual property emerging as the target
• Zero day vulnerabilities increasing
• Difficult education messages to business and
  customers, persist

6
Trends cont.

• 5,491 vulnerabilities in 2008, 19 increase on
  2007
• High severity vulnerabilities decreased from 4
  to 2 in 2008
• Medium vulnerabilities increased from 61 to 67
  in 2008
• 80 of vulnerabilities classified as easily
  exploitable (74 in 2007)
• 63 of vulnerabilities affected Web applications
  (59 in 2007)
• Mozilla browsers 99 vulnerabilities
• Internet Explorer 47
• Apple Safari 40
• Opera 35
• Google Chrome 11
• XSS, SQL injection and file include
  vulnerabilities predominate
• 95 of attacked vulnerabilities were client-side,
  5 server-side
• Source Symantec Global
  Internet Security Threat Report, 2009

7
Top exploitation Conficker
The Guardian
www.bbc.co.uk/news
Microsoft offers 250,000 bounty for authors of
the Conficker worm
SC Magazine
"The days of people doing this because they're
bored are mostly over. We would expect that the
person who controls this thing will try to
auction off parts of the network that they have
created." Thomas Cross IBM ISS
8
Top 10 Vendors with the most vulnerability
disclosures
Ranking Vendor Disclosures
1 Microsoft 3.16
2 Apple 3.04
3 Sun 2.19
4 Joomla! 2.07
5 IBM 2.00
6 Oracle 1.65
7 Mozilla 1.43
8 Drupal 1.42
9 Cisco 1.23
10 TYPO3 1.23
Source X-Force 2008 Trend Risk Report, IBM,
2009
9
Top 10 operating systems with the most
vulnerabilities reported
Ranking Vendor Disclosures
1 Apple Mac OS X Server 14.3
1 Apple Mac OS X 14.3
3 Linux Kernel 10.9
4 Sun Solaris 7.3
5 Microsoft Windows XP 5.5
6 Microsoft Windows 2003 Server 5.2
7 Microsoft Windows Vista 5.1
8 Microsoft Windows 2000 4.8
9 Microsoft Windows 2008 4.1
10 IBM AIX 3.7
Source X-Force 2008 Trend Risk Report, IBM,
2009
10
Recent surveys

• Technology is one of the highest priorities for
  companies yet many companies do not know what
  risks they now face
• 47 of surveyed European companies use
  vulnerability scanning tools
• 
  Source The
  Global State of Information Security Survey, 2008
• 65 of respondents conduct vulnerability scanning
  at least annually
• Both emerging technology and increasing
  sophistication of threats seen as less of a
  barrier last year compared to 2007
• 70 saw inadequate Patch Management as a
  medium/high issue
• Virus worm attacks, email attacks and
  phishing/pharming dominate
• Source Protecting what matters, The
  6th Annual Global Security Survey, Deloitte, 2009
• Economic distress will exacerbate the situation
• Security seen as a cost and therefore at risk of
  reduction
• Increased opportunity and incentive for attackers

11
Main consequences of exploitation
Consequence Description
Bypass security Circumvention of security measures, e.g. firewall, proxy, IDS/IPS, anti-malware defences
Data manipulation Manipulation of data used/stored by host and used by service or application
Denial of Service Crash/disrupt a service or system to take down a network
File manipulation Create, delete, modify, overwrite or read files
Gain access Obtain local/remote access including execution of code/commands
Gain privileges Obtain local privileges
Obtain information Obtain file and path names, source code, passwords, configuration details, etc.
12
Reactive remediation

• Malware infection and system failure remain the
  incident types that require most staff time to
  fix
• 7 of infections took 11-50 man days to recover
• 1 of infections took gt100 man days

Source Information Security Breaches Survey
2008, BERR
13
Constraints

• Patch overload
• Different builds
• Complexity of patches
• Device connectivity
• Resource constraints
• Testing timescales
• Testing infrastructure
• Application dependency
• Lack of / inadequate asset inventories
• Lack of / inadequate configuration management
• Scheduling / downtime / business impact

14
Patch Management process
IdentifyPatch Vuln.
Assessrisk of Vuln.
Perform Impactanalysis
TestPatch
PilotPatch
Roll-outPatch
Patchrest ofdevices
Reviewand Report
15
Vulnerability Management

• Security alerts proactive
• Patch management - preventative
• Security incidents reactive / curative
• Vulnerability assessment indicative monitoring

Vulnerability Management
Security AlertManagement
PatchManagement
IncidentManagement
Vulnerability Assessment
16
ITIL V3 Process Summary
Service Strategy
Business Requirements
IT Policies Strategies
Service Design
Service Operation
Service Level Mgmt
Event Management
Patch Management
Incident Management
Availability Mgmt
Problem Management
Info Security Mgmt
Service Transition
Change Management
Asset Config Mgmt
17
Key considerations

• Mandate through agreed Patch Management strategy
  and policy
• Senior Management buy-in and support essential
• Conflicts between patching and business
  operations must be resolved
• Schedule patch activity as BAU but allow for
  emergencies
• Prioritise patches based on risk to organisation
• Implement standard builds
• Reduce local admin privileges
• Maintain asset inventories / configuration
  management
• Consider application whitelisting
• Formulate integrated process and automate
  wherever possible
• Allocate adequate resource, both management and
  line

18
To summarise..

• Patch management is increasingly business
  critical given reliance on technology
  infrastructure
• Should be proactive and preventative, not
  reactive and curative
• Business impact reduction from a risk perspective
  should be key driver
• Key is understanding the motivation, opportunity
  and risk to the attacker
• Should be viewed as part of a bigger picture, an
  integrated process
• Supported by defence in depth strategies
• Automated tools are essential but so are the
  right people
• Knowledge is power know your vulnerabilities and
  where they are
• End user estates increasingly as important as
  server estates
• Flexibility and agility is crucial

19
(No Transcript)