Slide 1

Slide 1 text

Patch and Vulnerability Management Marcelo Martins exploitedbunker.com

Slide 2

Slide 2 text

Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion

Slide 3

Slide 3 text

§  Assets §  1 – Business processes (or sub-processes) and activities, for example: §  Processes whose loss or degradation make it impossible to carry out the mission of the organization §  Processes that contain secret processes or processes involving proprietary technology §  Processes that, if modified, can greatly affect the accomplishment of the organization's mission §  Processes that are necessary for the organization to comply with contractual, legal or regulatory requirements Source: ISO/IEC 27005:2011 B.1 Why does it matter?

Slide 4

Slide 4 text

§  Assets §  2 – Information §  Vital information for the exercise of the organization's mission or business §  Personal information, as can be defined specifically in the sense of the national laws regarding privacy §  Strategic information required for achieving objectives determined by the strategic orientations §  High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost Source: ISO/IEC 27005:2011 B.1 Why does it matter?

Slide 5

Slide 5 text

§  Vulnerabilities: Software or configuration flaws that weaken the security of an asset §  Ex: Used to gain access to a system §  Controls §  Software patches §  Configuration changes §  Flawed software or service removal §  Threats: Exploit vulnerabilities and cause damage to the asset §  Ex: exploit scripts, worms, viruses, rootkits e Trojan horses Why does it matter?

Slide 6

Slide 6 text

Vulnerabilities Threats (agents) Controls Risk Assets Impact exploit reduce potencialize risk and cause impact affects mitigate Why does it matter? are present are implemented

Slide 7

Slide 7 text

Why does it matter?

Slide 8

Slide 8 text

Why does it matter?

Slide 9

Slide 9 text

Why does it matter?

Slide 10

Slide 10 text

Why does it matter?

Slide 11

Slide 11 text

Why does it matter?

Slide 12

Slide 12 text

Why does it matter?

Slide 13

Slide 13 text

Why does it matter?

Slide 14

Slide 14 text

Why does it matter?

Slide 15

Slide 15 text

Why does it matter? The more we use… The less we need to use… Vulnerability Management Changes Management Configuration Management Incident Management Business Continuity Management

Slide 16

Slide 16 text

Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion

Slide 17

Slide 17 text

Relationship Risk Management Information Security Management Vulnerability Management

Slide 18

Slide 18 text

Relationship Vulnerability Assessment Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Reporting Penetration Test Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting

Slide 19

Slide 19 text

Relationship Vulnerability Assessment Usually has a broader scope than Penetration Test Predictable, because network adm is aware of the tools being used May include several false postitives Produces a report with recommendations for risk reduction Penetration Test Exploits specific attack vectors (services or assets) May happen unannounced, to test incident response Trustworthy because provides evidence of break in (root!) Pen Testing = Proof of Concept against vulnerabilities Produces a binary result: got root or not

Slide 20

Slide 20 text

Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion

Slide 21

Slide 21 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 22

Slide 22 text

Monitor vulnerabilities

Slide 23

Slide 23 text

Monitor vulnerabilities §  Some tools

Slide 24

Slide 24 text

Monitor vulnerabilities §  Some sources of alerts §  NIST NVD §  nvd.nist.gov §  CVE §  cve.mitre.org §  US-CERT §  us-cert.gov §  CERT.BR §  cert.br §  Vendor site and e-mail lists

Slide 25

Slide 25 text

Monitor vulnerabilities §  Scope Definition §  Avoid the situation where the Organization is aware of a serious security flaw. If there is awareness and no patching, there is no due diligence §  If a security incident is related to a known vulnerability not patched by the Organization, it may open a possibility to claims of damage Vulnerability analysis without patching has little value Little analysis and lots of patching is better than lots of analysis and little patching

Slide 26

Slide 26 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 27

Slide 27 text

Establish priorities Likelihood Consequence

Slide 28

Slide 28 text

Establish priorities Risk Quantification Loss Expectancy Control Cost Exposure Factor

Slide 29

Slide 29 text

Establish priorities Acceptable Risk Controlable Risk Unacceptable Risk

Slide 30

Slide 30 text

Establish priorities Assets Process or system Business objective Billing e-Commerce Email

Slide 31

Slide 31 text

Establish priorities

Slide 32

Slide 32 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 33

Slide 33 text

Manage knowledge §  Maintaining a database §  Manually maintained databases should contain instructions on removing vulnerabilities by installing patches or performing workarounds, as well as the actual patches when applicable §  Linking resources §  While the creation of a database is recommended, resource constraints may limit an organization to listing only Web sites or specific Uniform Resource Locators (URL) for each patch

Slide 34

Slide 34 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 35

Slide 35 text

Test patch §  Many vendors provide mechanisms of authentication §  Patches should have their authenticity verified, using PGP or digital certificates §  Antivirus software should scan all patches before installation §  And before that, make sure the antivirus and its signature database are updated §  Patches e configuration changes should be tested in the testing environment, they can bring unexpected results §  Some patches are extremely complicated and largely affect the operating system by replacing files and changing system settings

Slide 36

Slide 36 text

Test patch §  Uninstallation option (undo) must be seriously taken into consideration §  Even though, sometimes the uninstallation process cannot bring the system back to its previous state

Slide 37

Slide 37 text

Test patch Development Environment Testing Environment Prodution Environment

Slide 38

Slide 38 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 39

Slide 39 text

Implement patch Risk Treatment Risk modification Implement controls Risk avoidance Cancel the operation Risk sharing Buy insurance Risk retention “I’m feeling lucky”

Slide 40

Slide 40 text

Implement patch Reduce Risk •  There is no “zero risk”. •  To cancel the operation avoids the risk but may not be the best option. •  The objective is to make money with adequate risks. Transfer Risk •  Insurance won’t transfer risk. It will only transfer risk of financial losses. •  Health insurance won’t transfer death risk. Life insurance? Not a chance. •  Control cost is the cost of insurance. Accept Risk •  May not be so bad. Depends on factors and costs. •  A soccer coach knows there is about 50/50 chance of winning the match, even managing the stronger team. •  Risk is inherent to business.

Slide 41

Slide 41 text

Implement patch

Slide 42

Slide 42 text

Implement patch §  Threat exposure §  Determinate the real meaning of the threat or vulnerability and which systems are vulnerable or exposed, focusing on critical systems §  Determinate the risk of applying the patch and if the patch affects the functionality of other applications and services (should also be addressed in Changes Management)

Slide 43

Slide 43 text

Implement patch §  Recent backup §  Before making any changes, it is better to make sure there is a recent backup copy. This way, it is easier to restore the environment §  Many assets §  Patch implementation gets very hard when there are thousands of assets. Automated solutions (EPM – Enterprise Patch Management) may be the answer.

Slide 44

Slide 44 text

Implement patch §  Delay of patch implementation must be carefully considered §  Threat level §  Internet accessible assets, many systems to be patched §  Exploitation risk §  If the vulnerability may be easily exploited, the patch (or virtual patch) should be immediately installed §  Exploitation consequences §  Critical systems or systems containing sensitive information should be patched as soon as possible

Slide 45

Slide 45 text

Implement patch §  Possible problems §  The instalation agent may reduce performance or make the systems uninstable §  Patches may be incompatible with other softwares §  User may lose informatgion when the agents reboots the system to install the patch §  EPM agent may be itself another security threat §  Mobile users may have problem when EPM tries to install a large amount of patches as the user logs on

Slide 46

Slide 46 text

Implement patch §  Determinate root cause §  Many vulnerabilities are the result of poorly formed system configuration or user administration policies, and inadequate provisioning or change management processes. §  Eliminating root causes requires improvements in the policies and processes that are used to provision, configure and change systems, and administer users.

Slide 47

Slide 47 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 48

Slide 48 text

Verify implementation §  Verify that files and settings were changed as specified by the vendor §  Run a vulnerability scanner §  Make sure patches were installed by log review §  Make use of penetration testing services to make sure that the vulnerability was patched

Slide 49

Slide 49 text

Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process

Slide 50

Slide 50 text

Improve the process §  Training §  Automated patch management solutions §  Enterprise patch management §  Learned lessons §  Implementation flaws §  Slow bandwidth and processing power §  User permissions §  Best date and time

Slide 51

Slide 51 text

Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion

Slide 52

Slide 52 text

§  Every organization should consistently measure the effectiveness of its patch and vulnerability management program and apply corrective actions as necessary. §  Without such a capability, even the best-designed security architectures can be susceptible to penetration or other forms of exploit. Establishing metrics Metric Name (Example) Units Vulnerability ratio Vulnerabilities/Host Unapplied patches ratio Patches/Host Network services ratio Services/Host Response time for vulnerability and patch identification Time Patch response time (critical) Time

Slide 53

Slide 53 text

Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion

Slide 54

Slide 54 text

§  Acting before the infection §  For any single vulnerability for which a widespread worm will be created, manual monitoring and patching is much more cost-effective than responding to a worm infection §  Enterprise Patch Management (EPM) §  Given that patches are constantly released, manual patching becomes prohibitively expensive unless the operating environment consists of only a few software packages (thus decreasing the total number of patches needed) Planning ahead

Slide 55

Slide 55 text

§  Enterprise patch management §  All moderate to large-size organizations should be using EPM §  Even small organizations should be migrating to some form of automated patching tool §  Manual patching is becoming ineffective as the number of patches grows and as attackers develop exploit code more rapidly §  Only uniquely configured computers and appliance- based devices should continue to be patched manually Planning ahead

Slide 56

Slide 56 text

Planning ahead §  Types of EPM §  There are two primary categories of enterprise patch management tools §  those that use agents §  those that do not §  Some products support both approaches and allow the administrator to choose the approach that is most efficient for the environment

Slide 57

Slide 57 text

§  New acquisitions §  Consider less complicated products. More code, features, and services can mean more bugs, vulnerabilities, and patches §  Delay implementing recently released major operating systems or applications until the experiences of others can be included in the decision-making process §  Consider software validated by independent testing. For the greatest assurance, the software’s source code should be evaluated §  Use only versions of software that are currently supported. Obsolete software beyond its lifecycle often has flaws that are only addressed in the newer, supported versions Planning ahead

Slide 58

Slide 58 text

§  Standardization §  The standard configuration will likely include the following items §  Hardware type and model §  Operating system version and patch level §  Major installed applications (version and patch level) §  Security settings for the operating system and applications. §  In many cases, these standardized configurations can be maintained centrally, and changes can be propagated to all participating IT resources. Planning ahead

Slide 59

Slide 59 text

§  Post incident patching §  Patching after a security compromise is significantly more complicated than merely applying the appropriate patch §  The vulnerability that was exploited must be patched §  It will not eliminate rootkits, backdoors, or most other changes that might have been introduced by the intruder §  For example, the Code Red II worm placed backdoors on compromised systems, and later the Nimda worm exploited those backdoors §  A compromised system should be reformatted and reinstalled or restored from a known safe and trusted backup Planning ahead

Slide 60

Slide 60 text

Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion

Slide 61

Slide 61 text

Conclusion §  There must be a Vulnerability Management process §  Little analysis and lots of patching §  Network administration must be kept informed of disclosed vulnerabilities §  The environment should be standardized and well-documented §  All changes must go through Changes Management §  Every change must be tested at the testing environment §  An automated process of patch installation may have the best cost/benefit

Slide 62

Slide 62 text

References §  NIST §  SP 800-40 §  Creating a Patch and Vulnerability Management Program §  SP 800-115 §  Technical Guide to Information Security Testing and Assessment §  CVE §  http://measurablesecurity.mitre.org/directory/areas/ vulnerabilitymanagement.html §  ISO/IEC 29147:2014 §  gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure. §  ISO/IEC 30111:2013 §  gives guidelines for how to process and resolve potential vulnerability information in a product or online service.