190 likes | 552 Views
Patch management: increasingly a facet of effective risk management. Marcus alldrick Securelondon conference, 28 jUly 2009. IF the attacker has a greater understanding of its target then it has the advantage. Criminal attackers are now driven by monetization cost and profitability.
E N D
Patch management:increasingly a facet of effective risk management Marcus alldrickSecurelondon conference, 28 jUly 2009
IF the attacker has a greater understanding of its target then it has the advantage patch management SecureLondon 0709 v01
Criminal attackers are now driven by monetization cost and profitability patch management SecureLondon 0709 v01
Patching and other protective measures increases attackers’ monetization cost and reduces their profitability patch management SecureLondon 0709 v01
Trends • Continued rapid evolution of attack strategies / sophistication • Web applications increasingly vulnerable and targeted • Decrease in mass mailing viruses and worms • Trojans increasing, notably in data stealing malware • 2007: 52%, 2008: 87%, Q109 93% Source: TrendLabs, 2009 • Multiple threat vectors employed, e.g. PDFs, Flash multimedia, Java • Motivation predominantly illicit economic gain • More financial investment in vulnerability exploitation due to ROI • Intellectual property emerging as the target • Zero day vulnerabilities increasing • Difficult education messages to business and customers, persist patch management SecureLondon 0709 v01
Trends cont. • 5,491 vulnerabilities in 2008, 19% increase on 2007 • High severity vulnerabilities decreased from 4% to 2% in 2008 • Medium vulnerabilities increased from 61% to 67% in 2008 • 80% of vulnerabilities classified as easily exploitable (74% in 2007) • 63% of vulnerabilities affected Web applications (59% in 2007) • Mozilla browsers: 99 vulnerabilities • Internet Explorer: 47 • Apple Safari: 40 • Opera: 35 • Google Chrome: 11 • XSS, SQL injection and file include vulnerabilities predominate • 95% of attacked vulnerabilities were client-side, 5% server-side Source: Symantec Global Internet Security Threat Report, 2009 patch management SecureLondon 0709 v01
SC Magazine DarkReading.com Top exploitation: Conficker The Guardian www.bbc.co.uk/news Microsoft offers $250,000 bounty for authors of the Conficker worm SC Magazine "The days of people doing this because they're bored are mostly over. We would expect that the person who controls this thing will try to auction off parts of the network that they have created." Thomas Cross IBM ISS patch management SecureLondon 0709 v01
Top 10 Vendors with the most vulnerability disclosures • Source: X-Force 2008 Trend & Risk Report, IBM, 2009 patch management SecureLondon 0709 v01
Top 10 operating systems with the most vulnerabilities reported • Source: X-Force 2008 Trend & Risk Report, IBM, 2009 patch management SecureLondon 0709 v01
Recent surveys • Technology is one of the highest priorities for companies yet many companies do not know what risks they now face • 47% of surveyed European companies use vulnerability scanning tools Source: The Global State of Information Security Survey, 2008 • 65% of respondents conduct vulnerability scanning at least annually • Both emerging technology and increasing sophistication of threats seen as less of a barrier last year compared to 2007 • ~70% saw inadequate Patch Management as a medium/high issue • Virus & worm attacks, email attacks and phishing/pharming dominate Source: Protecting what matters, The 6th Annual Global Security Survey, Deloitte, 2009 • Economic distress will exacerbate the situation • Security seen as a cost and therefore at risk of reduction • Increased opportunity and incentive for attackers patch management SecureLondon 0709 v01
Main consequences of exploitation patch management SecureLondon 0709 v01
Malware infection and system failure remain the incident types that require most staff time to fix 7% of infections took 11-50 man days to recover 1% of infections took >100 man days Reactive remediation • Source: Information Security Breaches Survey 2008, BERR patch management SecureLondon 0709 v01
Constraints • Patch overload • Different builds • Complexity of patches • Device connectivity • Resource constraints • Testing timescales • Testing infrastructure • Application dependency • Lack of / inadequate asset inventories • Lack of / inadequate configuration management • Scheduling / downtime / business impact patch management SecureLondon 0709 v01
Patch Management process IdentifyPatch & Vuln. Assessrisk of Vuln. Perform Impactanalysis TestPatch PilotPatch Roll-outPatch Reviewand Report Patchrest ofdevices patch management SecureLondon 0709 v01
Vulnerability Management • Security alerts – proactive • Patch management - preventative • Security incidents – reactive / curative • Vulnerability assessment – indicative monitoring Vulnerability Management Security AlertManagement PatchManagement IncidentManagement Vulnerability Assessment patch management SecureLondon 0709 v01
ITIL V3 Process Summary Service Strategy Business Requirements IT Policies & Strategies Service Design Service Operation Service Level Mgmt Event Management Patch Management Availability Mgmt Incident Management Info Security Mgmt Problem Management Service Transition Change Management Asset & Config Mgmt patch management SecureLondon 0709 v01
Key considerations • Mandate through agreed Patch Management strategy and policy • Senior Management buy-in and support essential • Conflicts between patching and business operations must be resolved • Schedule patch activity as BAU but allow for emergencies • Prioritise patches based on risk to organisation • Implement standard builds • Reduce local admin privileges • Maintain asset inventories / configuration management • Consider application whitelisting • Formulate integrated process and automate wherever possible • Allocate adequate resource, both management and line patch management SecureLondon 0709 v01
To summarise….. • Patch management is increasingly business critical given reliance on technology infrastructure • Should be proactive and preventative, not reactive and curative • Business impact reduction from a risk perspective should be key driver • Key is understanding the motivation, opportunity and risk to the attacker • Should be viewed as part of a bigger picture, an integrated process • Supported by defence in depth strategies • Automated tools are essential but so are the right people • Knowledge is power: know your vulnerabilities and where they are • End user estates increasingly as important as server estates • Flexibility and agility is crucial patch management SecureLondon 0709 v01