patch management by robert hawk. driving factor if the business decides to utilise risk management...
TRANSCRIPT
Patch ManagementPatch Management
By Robert HawkBy Robert Hawk
Driving FactorDriving Factor
If the business decides to utiliseIf the business decides to utilise
Risk Management as a majorRisk Management as a major
component driver then patchcomponent driver then patch
management will fall into the management will fall into the scopescope
of the Risk Management of the Risk Management strategy.strategy.
Risk Management ComponentsRisk Management Components
Threat ManagementThreat ManagementMalicious Code ManagementMalicious Code Management
Vulnerability ManagementVulnerability ManagementPatch ManagementPatch Management
Components DefinitionComponents Definition
Definition of VulnerabilityDefinition of Vulnerability(in respect to Risk Management and its sub-(in respect to Risk Management and its sub-
components)components) An internal weakness or defect that can be An internal weakness or defect that can be
exploited to perpetrate harm or damage.exploited to perpetrate harm or damage.
Definition of ManagementDefinition of Management(in respect to Risk Management and its sub-(in respect to Risk Management and its sub-
components)components) The process of detecting, assessing, and finally The process of detecting, assessing, and finally
mitigating Risk and Risk Sub-Components.mitigating Risk and Risk Sub-Components.
ConsiderationsConsiderations
It is noteworthy to mention that there It is noteworthy to mention that there is:is:
1.1. No such thing as bullet proof code.No such thing as bullet proof code.
2.2. An Operating System or Application that will An Operating System or Application that will never need to be patched.never need to be patched.
3.3. To mitigate vulnerabilities in any code, the To mitigate vulnerabilities in any code, the patch for the indicated vulnerability has to be patch for the indicated vulnerability has to be applied to the system. If one is available.applied to the system. If one is available.
Managing Vulnerabilities Managing Vulnerabilities
Detection:Detection:
Usually found by a hacker, a third party lab, or Usually found by a hacker, a third party lab, or even the code developer.even the code developer.
Keep in mind the channel by which you receive Keep in mind the channel by which you receive patch announcements is legitimate.patch announcements is legitimate.
Managing VulnerabilitiesManaging Vulnerabilities
Assessment:Assessment:
When the code manufacturer releases the patch, When the code manufacturer releases the patch, it is your responsibility to acquire the patch and it is your responsibility to acquire the patch and assess it. To find out whether your environment assess it. To find out whether your environment requires the patch or not.requires the patch or not.
Managing VulnerabilitiesManaging Vulnerabilities
Some of the logic that you can utilize Some of the logic that you can utilize in your assessment isin your assessment is
Do we currently use the code that the patch is for?Do we currently use the code that the patch is for?If you do not have the code installed then do not install the If you do not have the code installed then do not install the patch.patch.
What is the impact level of the patch? Is it low or critical?What is the impact level of the patch? Is it low or critical?Will you depend on the code manufacturer’s assessment or Will you depend on the code manufacturer’s assessment or will you conduct an assessment of your own?will you conduct an assessment of your own?
Will the patch have any adverse effects on the Will the patch have any adverse effects on the environment?environment?The only way that this can be answered is by testing, The only way that this can be answered is by testing, testing, testing…testing, testing…
Managing VulnerabilitiesManaging Vulnerabilities
Mitigation:Mitigation:
How will the patch be implemented into the How will the patch be implemented into the environment?environment?
Will you utilize SMS, SUS, or a third party Will you utilize SMS, SUS, or a third party manufacturer’s solution?manufacturer’s solution?
How will other systems be dealt with: Like AIX, How will other systems be dealt with: Like AIX, HPUX, Sun Solaris, the Mainframe, and the Cisco HPUX, Sun Solaris, the Mainframe, and the Cisco switches and routers?switches and routers?
The Grand Question…The Grand Question…
To patch or not to patch,To patch or not to patch,
that is the question?that is the question?
The whole concept of a network being a “crunchy The whole concept of a network being a “crunchy shell with a soft chewy center”, meaning that the shell with a soft chewy center”, meaning that the network perimeter is well guarded and the network perimeter is well guarded and the internal network is collapsing and caving in on internal network is collapsing and caving in on itself.itself.
Consequence of not Patching Consequence of not Patching
The simple fact is:The simple fact is:The patch will safeguard the environment and The patch will safeguard the environment and should be installed, or the patch whacks the should be installed, or the patch whacks the environment and cannot be installed. environment and cannot be installed.
If you are dealing with the latter, there is a choice If you are dealing with the latter, there is a choice that needs to be made. To not patch the system that needs to be made. To not patch the system and risk the vulnerability being exploited and the and risk the vulnerability being exploited and the environment being taken down, or that the environment being taken down, or that the effected system will need to be upgraded, effected system will need to be upgraded, recoded, or otherwise changed to accept the recoded, or otherwise changed to accept the patch, so as to mitigate the vulnerability.patch, so as to mitigate the vulnerability.
Microsoft Specific Environments Microsoft Specific Environments
For larger environments SMS is the For larger environments SMS is the best choice. best choice.
There is more granular control and There is more granular control and reporting on the outcome of the reporting on the outcome of the process.process.
Microsoft Specific EnvironmentsMicrosoft Specific Environments
For smaller environments SUS is the For smaller environments SUS is the best choice.best choice.
The “Microsoft Baseline Security The “Microsoft Baseline Security Analyser” should be used to audit the Analyser” should be used to audit the success of the process.success of the process.
Microsoft Specific EnvironmentsMicrosoft Specific Environments
For multi-site environments either an For multi-site environments either an SMS or SUS hierarchy can be setup SMS or SUS hierarchy can be setup to facilitate the control and to facilitate the control and distribution of patches. distribution of patches.
OptionsOptions
It is always possible to utilize a third It is always possible to utilize a third party patch management utility to party patch management utility to facilitate the acquiring, installation facilitate the acquiring, installation and auditing of Patch Management and auditing of Patch Management tasks.tasks.
The EndThe End
Questions?Questions?