HackingTheUniverse

Patch Management is a critical part of security.

The need for patch management:

• An increasing rate of exposure
• An increasing cost of response
• Expected results from a good patch management program
• Reduce the time and expense of patching
• Decrease the potential for exploitation
• Reduce the disruption and expense of reacting to incidents
• Security control SI-2 FLAW REMEDIATION
• NIST SP 800-40 “Creating a Patch and Vulnerability Management Program”

A Patch and Vulnerability Group:

• Description
• Scope
• Duties
• Skill groups
• System and network administration
• Intrusion detection
• Vulnerability scanning

Patch and Vulnerability Management Process:

• Inventory
• Laws – FISMA, FIPS-199, FIPS-200
• NIST guidance
• Documents – 800-18, 800-30, 800-39, 800-40, 800-53, 800-100
• Security controls – CM-2/6/8, PE-16, RA-5, SI-2
• CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
• System name
• Property number
• Owner (primary user)
• System administrator
• Physical location
• Network port
• Software configuration
• Hardware configuration
• Monitor
• Types of concerns to monitor
• Threats
• Vulnerabilities
• Remediations (patch, adjust configuration, remove)
• Vendor information (web sites, email lists)
• Third party information (web sites, databases, forums, email lists)
• Scanning tools
• Patch managment tools
• Prioritize by significance of the threat, existence of malware and the patching risk
• Create a remediation database
• Testing
• Authenticate the patch
• Run a virus scan against the patch
• Do testing in a non-production environment
• Evaluate any effects on other patches
• Evaluate varied configurations the patch may get applied on
• Monitor the experiences of others in the security community with a patch
• Reach a decision to deploy the patch
• Remediation deployment types
• Installation of a patch
• Adjustment to a configuration
• Removal of the component with the vulnerability
• Distribute information
• Automated – often performed by patch management software
• Manual – email, web-based, or portable media
• Considerations – alternate methods of distribution may be needed if the network has been compromised
• Verifying remediation
• Examine configuration settings
• Vulnerability scanning
• Network scanning
• Host scanning
• Review patch logs
• Penetration testing
• See NIST SP 800-42 “Network Security Testing”
• See security control RA-5 VULNERABILITY SCANNING
• Training

Metrics

• Guidance
• NIST SP 800-55 “Security Metrics Guide”
• NIST SP 800-40 “Creating a Patch and Vulnerability Management Program”
• Types of metrics
• Susceptibility to attack
• Mitigation response time
• Cost
• Metrics process
• Targeting toward maturity
• Metrics table
• Document and standardize
• Performance targets – cost effectiveness
• Program implementation

Management Issues

• Agent based software vs non-agent based software
• Risks
• Corrupted patch
• Compromised tool
• Countermeasures
• Whether to combine the inventory process and the patch management process
• Whether to combine the vulnerability scanning process and the patch management process
• Deployment issues
• Reduce the need for patching through smart purchasing
• Establish standard configurations
• Patching after a compromise can be problematic

Resources

• US-CERT – US Computer Emergency Readiness Team – a national cyber alert system
• CVE – Common Vulnerabilities and Exposures
• NVD – National Vulnerability Database
• OVAL – Open Vulnerability and Assessment Language

Summary

• Create an inventory database
• Create a patch and vulnerability group
• Monitor for vulnerabilities
• Test patches
• Deploy patches
• Document the process
• Automate the process as much as is practical
• Verify vulnerabilites and patches
• Train both network staff and users on issues

KEY NIST DOCS:
800-40 “Creating a Patch and Vulnerability Management Program”
800-55 “Security Metrics Guide”
800-42 “Network Security Testing”