Patch management
Download
Report
Transcript Patch management
Patch management:
increasingly a facet of
effective risk management
Marcus alldrick
Securelondon conference, 28 jUly 2009
IF the attacker has a
greater understanding of
its target then it has the
advantage
2
patch management SecureLondon 0709 v01
© Lloyd’s
Criminal attackers are
now driven by
monetization cost and
profitability
3
patch management SecureLondon 0709 v01
© Lloyd’s
Patching and other
protective measures
increases attackers’
monetization cost and
reduces their profitability
4
patch management SecureLondon 0709 v01
© Lloyd’s
Trends
Continued rapid evolution of attack strategies / sophistication
Web applications increasingly vulnerable and targeted
Decrease in mass mailing viruses and worms
Trojans increasing, notably in data stealing malware
2007: 52%, 2008: 87%, Q109 93%
Source: TrendLabs, 2009
Multiple threat vectors employed, e.g. PDFs, Flash multimedia, Java
Motivation predominantly illicit economic gain
More financial investment in vulnerability exploitation due to ROI
Intellectual property emerging as the target
Zero day vulnerabilities increasing
Difficult education messages to business and customers, persist
5
patch management SecureLondon 0709 v01
© Lloyd’s
Trends cont.
5,491 vulnerabilities in 2008, 19% increase on 2007
High severity vulnerabilities decreased from 4% to 2% in 2008
Medium vulnerabilities increased from 61% to 67% in 2008
80% of vulnerabilities classified as easily exploitable (74% in 2007)
63% of vulnerabilities affected Web applications (59% in 2007)
Mozilla browsers:
99 vulnerabilities
Internet Explorer:
47
Apple Safari:
40
Opera:
35
Google Chrome:
11
XSS, SQL injection and file include vulnerabilities predominate
95% of attacked vulnerabilities were client-side, 5% server-side
Source: Symantec Global Internet Security Threat Report, 2009
6
patch management SecureLondon 0709 v01
© Lloyd’s
Top exploitation: Conficker
SC Magazine
The Guardian
www.bbc.co.uk/news
Microsoft offers $250,000 bounty for authors of the Conficker worm
SC Magazine
"The days of people doing this because
they're bored are mostly over. We would
expect that the person who controls this
thing will try to auction off parts of the
network that they have created."
Thomas Cross IBM ISS
DarkReading.com
7
patch management SecureLondon 0709 v01
© Lloyd’s
Top 10 Vendors with the most
vulnerability disclosures
Ranking Vendor
Disclosures
1
Microsoft
3.16%
2
Apple
3.04%
3
Sun
2.19%
4
Joomla!
2.07%
5
IBM
2.00%
6
Oracle
1.65%
7
Mozilla
1.43%
8
Drupal
1.42%
9
Cisco
1.23%
10
TYPO3
1.23%
Source: X-Force 2008 Trend & Risk Report, IBM, 2009
8
patch management SecureLondon 0709 v01
© Lloyd’s
Top 10 operating systems with the
most vulnerabilities reported
Ranking Vendor
Disclosures
1
Apple Mac OS X Server
14.3%
1
Apple Mac OS X
14.3%
3
Linux Kernel
10.9%
4
Sun Solaris
7.3%
5
Microsoft Windows XP
5.5%
6
Microsoft Windows 2003 Server
5.2%
7
Microsoft Windows Vista
5.1%
8
Microsoft Windows 2000
4.8%
9
Microsoft Windows 2008
4.1%
10
IBM AIX
3.7%
Source: X-Force 2008 Trend & Risk Report, IBM, 2009
9
patch management SecureLondon 0709 v01
© Lloyd’s
Recent surveys
Technology is one of the highest priorities for companies yet many
companies do not know what risks they now face
47% of surveyed European companies use vulnerability scanning tools
Source: The Global State of Information Security Survey, 2008
65% of respondents conduct vulnerability scanning at least annually
Both emerging technology and increasing sophistication of threats
seen as less of a barrier last year compared to 2007
~70% saw inadequate Patch Management as a medium/high issue
Virus & worm attacks, email attacks and phishing/pharming dominate
Source: Protecting what matters, The 6th Annual Global Security Survey, Deloitte, 2009
Economic distress will exacerbate the situation
Security seen as a cost and therefore at risk of reduction
Increased opportunity and incentive for attackers
10
patch management SecureLondon 0709 v01
© Lloyd’s
Main consequences of exploitation
Consequence
Description
Bypass security
Circumvention of security measures, e.g.
firewall, proxy, IDS/IPS, anti-malware
defences
Data manipulation
Manipulation of data used/stored by host
and used by service or application
Denial of Service
Crash/disrupt a service or system to take
down a network
File manipulation
Create, delete, modify, overwrite or read
files
Gain access
Obtain local/remote access including
execution of code/commands
Gain privileges
Obtain local privileges
Obtain information
Obtain file and path names, source code,
passwords, configuration details, etc.
11
patch management SecureLondon 0709 v01
© Lloyd’s
Reactive remediation
Malware infection and system failure
remain the incident types that
require most staff time to fix
7% of infections took 11-50 man
days to recover
1% of infections took >100 man
days
Source: Information Security Breaches Survey 2008, BERR
12
patch management SecureLondon 0709 v01
© Lloyd’s
Constraints
Patch overload
Different builds
Complexity of patches
Device connectivity
Resource constraints
Testing timescales
Testing infrastructure
Application dependency
Lack of / inadequate asset inventories
Lack of / inadequate configuration management
Scheduling / downtime / business impact
13
patch management SecureLondon 0709 v01
© Lloyd’s
Patch Management process
Identify
Patch &
Vuln.
14
Assess
risk of
Vuln.
Perform
Impact
analysis
Test
Patch
patch management SecureLondon 0709 v01
Pilot
Patch
Roll-out
Patch
Review
and
Report
Patch
rest of
devices
© Lloyd’s
Vulnerability Management
Vulnerability Management
Security Alert
Management
Patch
Management
Incident
Management
Vulnerability Assessment
Security alerts – proactive
Patch management - preventative
Security incidents – reactive / curative
Vulnerability assessment – indicative monitoring
15
patch management SecureLondon 0709 v01
© Lloyd’s
ITIL V3 Process Summary
Service Strategy
Business Requirements
IT Policies & Strategies
Service Operation
Service Design
Event Management
Service Level Mgmt
Incident Management
Patch Management
Availability Mgmt
Info Security Mgmt
Problem Management
Service Transition
Change Management
Asset & Config Mgmt
16
patch management SecureLondon 0709 v01
© Lloyd’s
Key considerations
Mandate through agreed Patch Management strategy and policy
Senior Management buy-in and support essential
Conflicts between patching and business operations must be resolved
Schedule patch activity as BAU but allow for emergencies
Prioritise patches based on risk to organisation
Implement standard builds
Reduce local admin privileges
Maintain asset inventories / configuration management
Consider application whitelisting
Formulate integrated process and automate wherever possible
Allocate adequate resource, both management and line
17
patch management SecureLondon 0709 v01
© Lloyd’s
To summarise…..
Patch management is increasingly business critical given reliance on
technology infrastructure
Should be proactive and preventative, not reactive and curative
Business impact reduction from a risk perspective should be key driver
Key is understanding the motivation, opportunity and risk to the attacker
Should be viewed as part of a bigger picture, an integrated process
Supported by defence in depth strategies
Automated tools are essential but so are the right people
Knowledge is power: know your vulnerabilities and where they are
End user estates increasingly as important as server estates
Flexibility and agility is crucial
18
patch management SecureLondon 0709 v01
© Lloyd’s
19
patch management SecureLondon 0709 v01
© Lloyd’s