Transcript Patch management

Patch management:
increasingly a facet of
effective risk management
Marcus alldrick
Securelondon conference, 28 jUly 2009
IF the attacker has a
greater understanding of
its target then it has the
advantage
2
patch management SecureLondon 0709 v01
© Lloyd’s
Criminal attackers are
now driven by
monetization cost and
profitability
3
patch management SecureLondon 0709 v01
© Lloyd’s
Patching and other
protective measures
increases attackers’
monetization cost and
reduces their profitability
4
patch management SecureLondon 0709 v01
© Lloyd’s
Trends

Continued rapid evolution of attack strategies / sophistication

Web applications increasingly vulnerable and targeted

Decrease in mass mailing viruses and worms

Trojans increasing, notably in data stealing malware

2007: 52%, 2008: 87%, Q109 93%
Source: TrendLabs, 2009

Multiple threat vectors employed, e.g. PDFs, Flash multimedia, Java

Motivation predominantly illicit economic gain

More financial investment in vulnerability exploitation due to ROI

Intellectual property emerging as the target

Zero day vulnerabilities increasing

Difficult education messages to business and customers, persist
5
patch management SecureLondon 0709 v01
© Lloyd’s
Trends cont.

5,491 vulnerabilities in 2008, 19% increase on 2007

High severity vulnerabilities decreased from 4% to 2% in 2008

Medium vulnerabilities increased from 61% to 67% in 2008

80% of vulnerabilities classified as easily exploitable (74% in 2007)

63% of vulnerabilities affected Web applications (59% in 2007)

Mozilla browsers:
99 vulnerabilities

Internet Explorer:
47

Apple Safari:
40

Opera:
35

Google Chrome:
11

XSS, SQL injection and file include vulnerabilities predominate

95% of attacked vulnerabilities were client-side, 5% server-side
Source: Symantec Global Internet Security Threat Report, 2009
6
patch management SecureLondon 0709 v01
© Lloyd’s
Top exploitation: Conficker
SC Magazine
The Guardian
www.bbc.co.uk/news
Microsoft offers $250,000 bounty for authors of the Conficker worm
SC Magazine
"The days of people doing this because
they're bored are mostly over. We would
expect that the person who controls this
thing will try to auction off parts of the
network that they have created."
Thomas Cross IBM ISS
DarkReading.com
7
patch management SecureLondon 0709 v01
© Lloyd’s
Top 10 Vendors with the most
vulnerability disclosures
Ranking Vendor
Disclosures
1
Microsoft
3.16%
2
Apple
3.04%
3
Sun
2.19%
4
Joomla!
2.07%
5
IBM
2.00%
6
Oracle
1.65%
7
Mozilla
1.43%
8
Drupal
1.42%
9
Cisco
1.23%
10
TYPO3
1.23%
Source: X-Force 2008 Trend & Risk Report, IBM, 2009
8
patch management SecureLondon 0709 v01
© Lloyd’s
Top 10 operating systems with the
most vulnerabilities reported
Ranking Vendor
Disclosures
1
Apple Mac OS X Server
14.3%
1
Apple Mac OS X
14.3%
3
Linux Kernel
10.9%
4
Sun Solaris
7.3%
5
Microsoft Windows XP
5.5%
6
Microsoft Windows 2003 Server
5.2%
7
Microsoft Windows Vista
5.1%
8
Microsoft Windows 2000
4.8%
9
Microsoft Windows 2008
4.1%
10
IBM AIX
3.7%
Source: X-Force 2008 Trend & Risk Report, IBM, 2009
9
patch management SecureLondon 0709 v01
© Lloyd’s
Recent surveys

Technology is one of the highest priorities for companies yet many
companies do not know what risks they now face

47% of surveyed European companies use vulnerability scanning tools
Source: The Global State of Information Security Survey, 2008

65% of respondents conduct vulnerability scanning at least annually

Both emerging technology and increasing sophistication of threats
seen as less of a barrier last year compared to 2007

~70% saw inadequate Patch Management as a medium/high issue

Virus & worm attacks, email attacks and phishing/pharming dominate
Source: Protecting what matters, The 6th Annual Global Security Survey, Deloitte, 2009

Economic distress will exacerbate the situation

Security seen as a cost and therefore at risk of reduction

Increased opportunity and incentive for attackers
10
patch management SecureLondon 0709 v01
© Lloyd’s
Main consequences of exploitation
Consequence
Description
Bypass security
Circumvention of security measures, e.g.
firewall, proxy, IDS/IPS, anti-malware
defences
Data manipulation
Manipulation of data used/stored by host
and used by service or application
Denial of Service
Crash/disrupt a service or system to take
down a network
File manipulation
Create, delete, modify, overwrite or read
files
Gain access
Obtain local/remote access including
execution of code/commands
Gain privileges
Obtain local privileges
Obtain information
Obtain file and path names, source code,
passwords, configuration details, etc.
11
patch management SecureLondon 0709 v01
© Lloyd’s
Reactive remediation

Malware infection and system failure
remain the incident types that
require most staff time to fix

7% of infections took 11-50 man
days to recover

1% of infections took >100 man
days
Source: Information Security Breaches Survey 2008, BERR
12
patch management SecureLondon 0709 v01
© Lloyd’s
Constraints

Patch overload

Different builds

Complexity of patches

Device connectivity

Resource constraints

Testing timescales

Testing infrastructure

Application dependency

Lack of / inadequate asset inventories

Lack of / inadequate configuration management

Scheduling / downtime / business impact
13
patch management SecureLondon 0709 v01
© Lloyd’s
Patch Management process
Identify
Patch &
Vuln.
14
Assess
risk of
Vuln.
Perform
Impact
analysis
Test
Patch
patch management SecureLondon 0709 v01
Pilot
Patch
Roll-out
Patch
Review
and
Report
Patch
rest of
devices
© Lloyd’s
Vulnerability Management
Vulnerability Management
Security Alert
Management
Patch
Management
Incident
Management
Vulnerability Assessment

Security alerts – proactive

Patch management - preventative

Security incidents – reactive / curative

Vulnerability assessment – indicative monitoring
15
patch management SecureLondon 0709 v01
© Lloyd’s
ITIL V3 Process Summary
Service Strategy
Business Requirements
IT Policies & Strategies
Service Operation
Service Design
Event Management
Service Level Mgmt
Incident Management
Patch Management
Availability Mgmt
Info Security Mgmt
Problem Management
Service Transition
Change Management
Asset & Config Mgmt
16
patch management SecureLondon 0709 v01
© Lloyd’s
Key considerations

Mandate through agreed Patch Management strategy and policy

Senior Management buy-in and support essential

Conflicts between patching and business operations must be resolved

Schedule patch activity as BAU but allow for emergencies

Prioritise patches based on risk to organisation

Implement standard builds

Reduce local admin privileges

Maintain asset inventories / configuration management

Consider application whitelisting

Formulate integrated process and automate wherever possible

Allocate adequate resource, both management and line
17
patch management SecureLondon 0709 v01
© Lloyd’s
To summarise…..

Patch management is increasingly business critical given reliance on
technology infrastructure

Should be proactive and preventative, not reactive and curative

Business impact reduction from a risk perspective should be key driver

Key is understanding the motivation, opportunity and risk to the attacker

Should be viewed as part of a bigger picture, an integrated process

Supported by defence in depth strategies

Automated tools are essential but so are the right people

Knowledge is power: know your vulnerabilities and where they are

End user estates increasingly as important as server estates

Flexibility and agility is crucial
18
patch management SecureLondon 0709 v01
© Lloyd’s
19
patch management SecureLondon 0709 v01
© Lloyd’s