AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY

Thursday, October 15, 2009

Improving Vulnerability and Patch Management

If you are a resource administrator, then you probably spend too much time responding to new vulnerability reports and patching systems. For the security folks, you probably spend too much of your time tracking down the status on remediation and trying to qualify new vulnerability notifications. So how can we manage this better?

The answer is to develop a risk model that takes into account the particulars of your environment. Most vulnerability notification services and scanners provide some kind of default rating for the findings, and the more sophisticated ones even include a confidence rating, but you need to rate these vulnerabilities for your own environment. I like to use the default or vendor supplied ratings as a way to narrow down your focus from hundreds or even thousands, down to a manageable number. Then you need to analyze the risks of each exposure to your organization, and adjust the rating accordingly.

A good place to start is by looking at just the "Critical" and "High" level risks, setting aside the "Moderate" and "Low" findings for now (assuming a four tier risk model). Hopefully, you will have very few in the "Critical" category, but it is likely you will have a good number of "High" risks.

Next you need to qualify each vulnerability for applicability. This will usually require some research on the part of your technical staff if you don't have a good asset inventory that includes software and operating system versions. If you do have a comprehensive asset inventory, then your job will be a lot easier and potentially the filtering can be automated.

Once you have a list of vulnerabilities that are either "Critical" or "High," and are definitely applicable to your environment, you need to re-rate them. This is where a formal risk model is crucial. You need to determine in advance how many risk levels you will have, what your risk formula will include, and which criteria you will use to categorize vulnerabilities at each level.

For example, how would you rate the likelihood of a cross-site scripting attack on an Internet-facing server versus an internal tools server? The scanning tool is going to rate that as a high regardless, but you know that for an attack to be successful, an attacker has to know the URL for that server, and get you to click on a link to exploit your client. That is going to be really hard for an outsider to pull off using your internal tools server, but much easier on an external website.

The recent Adobe Acrobat vulnerabilities are another good example. If your Domain Controller happens to have a vulnerable version running on it, a scanner might flag this as a high risk, but you know that most of these exploits require opening a specially crafted PDF file on the server to be successful. What are the chances that an administrator is going to download or get emailed a malicious PDF, and decide to open it on your Domain Controller? Probably not high. Looking at your desktops and laptops, however, the likelihood is high, so that's where you should focus your efforts.

These are just some of the factors that you need to consider and account for in your risk model. Armed with this knowledge, you can better focus your administrators' efforts. With limited time and resources, you can't patch everything on day 1, so how do you determine which alerts are actually critical for your environment?

On October 20, 2009 I am hosting a free Webcast with SANS that will address these very topics. In this session we will focus on how to take vendor and industry reports of new vulnerabilities in software/hardware, and analyze the risk to your own organization. I hope that you will check it out.

The author, Evan Wheeler, is a risk and security expert at Omgeo and an Akibia customer.

LABELS:

Evan Wheeler,

Security,

Training

Post a Comment

• By Anders 02/08/2010

  Well, there are known exploits. But arent the biggest challenge the 0-day exploits? The lack of security knowledge among developers are in my oppinion still the biggest threat.

  billigt webbhotell

• By iphone 5 release date 09/07/2011

  The right software patch management product helps assess exposure and prioritize patches so as to stay compliant at all times. It is crucial to be mindful of these points in order to find the right fit. Utilizing an effective patch management system can keep your computer inventory running at peak performance and avoid costly down time.

BLOG ARCHIVE

• 2011 (29)
  • December (1)
    • Is Employee Cybershopping Threatening Your Company's Security?
  • October (1)
    • Plans are nothing; planning is everything
  • September (1)
    • Has it really come down to a bag of chips?
  • August (6)
    • Modernization is The Key
    • VRM (Vendor Relationship Management)
    • The Double Dip Recession is Coming!
    • Security Faux Pas
    • Too Extreme? I don’t think so. Tying security to compensation.
    • Unique Requirements for Exchange 2010 Based Messaging Platform and Dependencies
  • July (2)
    • Configuration Management with System Center
    • Keep living in a fantasy world…
  • June (7)
    • The Softer Side of Information Security…
    • The Black Hats Get It. Do you?
    • More from midTECH
    • midTECH IT Summit
    • Advances and Limitations of Windows DHCP/DNS Services
    • Choosing the Right Consultant
    • Don't Panic Yet
  • May (3)
    • Citrix Synergy 2011
    • Citrix Summit 2011 - Day 1
    • Federal FISMA Compliance Rated "Poor"
  • April (1)
    • First Time Offshoring?
  • March (3)
    • AFCOM Data Center World - Day 2
    • AFCOM Data Center World - Day 1
    • RSA SecurID Breach: Are Your Tokens Safe?
  • February (1)
    • You can outsource the work, but not the responsibility
  • January (3)
    • P3 Cubed: Focus on the Basics Part III
    • P3 Cubed: Focus on the Basics Part II
    • P3 Cubed: Focus on the Basics
• 2010 (19)
  • December (1)
    • The Next Generation of Smartphones in the Enterprise
  • October (1)
    • How to Ensure a Successful Monitoring Implementation
  • September (2)
    • Too Many Requirements; How One VP of IT Handles It
    • The Missing Link
  • August (2)
    • Informationweek Survey of Sun Customers - Demonstrably Worse Service
    • The Death of Information Security
  • July (1)
    • Moving to Larger Mailbox Sizes with Exchange 2010
  • June (3)
    • Top 10 Features in Exchange 2010 for Users
    • Low Risk Support Alternatives for Cisco End of Life Equipment
    • Health Providers Beware of the New HITECH Act
  • May (1)
    • Compliance and Security Go Hand in Hand – How to Achieve Both
  • April (2)
    • A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective
    • Reviewing Oracle's Changes - Has the Sun Set on Sun Systems?
  • March (2)
    • New Requirement - New Fire Drill?
    • Why HP is Worried about TPM's
  • February (1)
    • Has the Sun Set on Flexible Support Options?
  • January (3)
    • You Inherited Your Cisco Infrastructure, But Do You Know Why You are Still Buying It?
    • Your Workers are Surfing While Snacking on a Big Mac - Time to Revisit Managing Your End-Point.
    • Ensuring Security in the Virtualized Environment
• 2009 (34)
  • December (1)
    • Monitoring Via the Cloud
  • November (2)
    • Sun Makes More Changes Amid Uncertainty
    • Sky High Cloud Chatter
  • October (2)
    • Improving Vulnerability and Patch Management
    • A Couple Quick and Easy Green IT Steps
  • September (3)
    • Don’t Put off Until Tomorrow…
    • Boston's Missing Email Case Has Many People Asking Questions about Digital Forensics
    • IT Needs Turbo Compliance
  • August (3)
    • Take Full Advantage of System Monitoring
    • Implement, educate and enforce strict Social Media usage policies – in that order
    • Preparing for a Return to Growth? It’s Not Too Soon to Make Process Improvements
  • July (2)
    • Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
    • Wrest Control of Your Data Center Back From the OEM
  • June (3)
    • Getting Ready for Cloud Computing
    • A Letter to Ralph Szygenda, the CIO of General Motors
    • Lax Web Site Security: The Site Owner's Responsibility
  • May (3)
    • The Checklist Approach to IT Security is Failing You
    • Financial Strength of Your Vendors…Show Me the Money!
    • PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
  • April (4)
    • The Near-Term Impact of Oracle Buying Sun
    • On the Path to the Cloud... Walk Before You Run
    • CIOs Need to Manage Up, Broadcast Successes
    • Consolidate Support Vendors?
  • March (4)
    • A Potential Sun Acquisition - Impact on Service
    • April 14 is Decision Day for Those Running Microsoft Exchange 2003
    • HIPAA Revitalized in 2009 and Beyond
    • Ten Steps for the Mass Data Security Law
  • February (7)
    • Tightening Budgets and Their Impact on IT Security
    • Recent Breaches Remind us to Focus on Security
    • The Training You Need Vs. The Training You Receive
    • Emphasizing Virtualization Security
    • DNS Audits: A Practical Guide
    • Practical Green IT
    • "Practical Use" Fills the Gap Between Idea and Implementation

BLOGS WE LIKE

• CIO - Blogs and Discussion - Best Practices
• InformationWeek’s Global CIO Weblog