Warning: Use of undefined constant add_shortcode - assumed 'add_shortcode' (this will throw an Error in a future version of PHP) in /nfs/c03/h02/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/stray-quotes/stray_quotes.php on line 615

Warning: Use of undefined constant MSW_WPFM_FILE - assumed 'MSW_WPFM_FILE' (this will throw an Error in a future version of PHP) in /nfs/c03/h02/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/wordpress-file-monitor/wordpress-file-monitor.php on line 39
Patch Management

Patch Management

Patch Management is a critical part of security.

The need for patch management:

  • An increasing rate of exposure
  • An increasing cost of response
  • Expected results from a good patch management program
    • Reduce the time and expense of patching
    • Decrease the potential for exploitation
    • Reduce the disruption and expense of reacting to incidents
  • Security control SI-2 FLAW REMEDIATION
  • NIST SP 800-40 “Creating a Patch and Vulnerability Management Program”

A Patch and Vulnerability Group:

  • Description
  • Scope
  • Duties
  • Skill groups
    • System and network administration
    • Intrusion detection
    • Vulnerability scanning

Patch and Vulnerability Management Process:

  • Inventory
    • Laws – FISMA, FIPS-199, FIPS-200
    • NIST guidance
      • Documents – 800-18, 800-30, 800-39, 800-40, 800-53, 800-100
      • Security controls – CM-2/6/8, PE-16, RA-5, SI-2
    • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
      • System name
      • Property number
      • Owner (primary user)
      • System administrator
      • Physical location
      • Network port
      • Software configuration
      • Hardware configuration
  • Monitor
    • Types of concerns to monitor
      • Threats
      • Vulnerabilities
      • Remediations (patch, adjust configuration, remove)
    • Vendor information (web sites, email lists)
    • Third party information (web sites, databases, forums, email lists)
    • Scanning tools
    • Patch managment tools
  • Prioritize by significance of the threat, existence of malware and the patching risk
  • Create a remediation database
  • Testing
    • Authenticate the patch
    • Run a virus scan against the patch
    • Do testing in a non-production environment
    • Evaluate any effects on other patches
    • Evaluate varied configurations the patch may get applied on
    • Monitor the experiences of others in the security community with a patch
    • Reach a decision to deploy the patch
  • Remediation deployment types
    • Installation of a patch
    • Adjustment to a configuration
    • Removal of the component with the vulnerability
  • Distribute information
    • Automated – often performed by patch management software
    • Manual – email, web-based, or portable media
    • Considerations – alternate methods of distribution may be needed if the network has been compromised
  • Verifying remediation
    • Examine configuration settings
    • Vulnerability scanning
    • Network scanning
    • Host scanning
    • Review patch logs
    • Penetration testing
    • See NIST SP 800-42 “Network Security Testing”
    • See security control RA-5 VULNERABILITY SCANNING
  • Training

Metrics

  • Guidance
    • NIST SP 800-55 “Security Metrics Guide”
    • NIST SP 800-40 “Creating a Patch and Vulnerability Management Program”
  • Types of metrics
    • Susceptibility to attack
    • Mitigation response time
    • Cost
  • Metrics process
    • Targeting toward maturity
    • Metrics table
    • Document and standardize
    • Performance targets – cost effectiveness
    • Program implementation

Management Issues

  • Agent based software vs non-agent based software
  • Risks
    • Corrupted patch
    • Compromised tool
    • Countermeasures
  • Whether to combine the inventory process and the patch management process
  • Whether to combine the vulnerability scanning process and the patch management process
  • Deployment issues
  • Reduce the need for patching through smart purchasing
  • Establish standard configurations
  • Patching after a compromise can be problematic

Resources

Summary

  • Create an inventory database
  • Create a patch and vulnerability group
  • Monitor for vulnerabilities
  • Test patches
  • Deploy patches
  • Document the process
  • Automate the process as much as is practical
  • Verify vulnerabilites and patches
  • Train both network staff and users on issues

KEY NIST DOCS:
800-40 “Creating a Patch and Vulnerability Management Program”
800-55 “Security Metrics Guide”
800-42 “Network Security Testing”

Leave a Reply

You must be logged in to post a comment.