Patch and Vulnerability

Management Program
What is it?
„ A security practice designed to proactively
prevent the exploitation of IT vulnerabilities
within an organization
„ To reduce the time and money spent dealing with
vulnerabilities and exploitation of vulnerabilities
„ Proactive management of vulnerabilities of
systems will reduce or eliminate the potential for
exploitation
„ Will involve considerably less time and effort than
responding after an exploitation has occurred
„ Critical challenge : timely patching
Organization Actions
„ Organizations should:
„ Create a patch and vulnerability group (PVG) to facilitate the
identification and distribution of patches within the organization
„ Use automated patch management tools to expedite the
distribution of patches to systems
„ Deploy enterprise patch management tools using a phased
approach
„ Assess and mitigate the risks associated with deploying enterprise
patch management tools
„ Consider using standardized configurations for IT resources
„ Consistently measure the effectiveness of their patch and
vulnerability management program and apply corrective actions as
necessary
Patch Vulnerability
Management Group Actions
„ Key functions
„ Creating a system inventory
„ Monitor for vulnerabilities, remediations and
threats
„ Create an organization-specific remediation
database
„ Conduct generic testing of remediations
„ Perform automated deployment of patches
„ Verify vulnerability remediation through network
and host vulnerability scanning
Creating Inventory
„ Key problem: granularity –too little or too
much?
„ No separate inventory (inventories used during
asset management or BCP can be used)
„ Sample inventory can keep details of
„ System name, owner, system administrator, location,
network port
„ Software configuration [OS version number, software
packages and version numbers, network services, IP
address]
„ Hardware configuration [CPU, memory, disk space,
ethernet address, wireless capability, I/O, firmware
versions]
Monitoring Vulnerabilities
„ Enterprise patch management tool, to obtain all
available patches from supported vendors
„ Vendor security mailing lists and Web sites, to obtain
all available patches from vendors not supported by
the enterprise patch management tool
„ Vulnerability database or mailing list to obtain
immediate information on all known vulnerabilities
and suggested remediations
„ Third-party vulnerability mailing lists that highlight
the most critical vulnerabilities (e.g., CERT Cyber
Security Alerts)
Testing Remediations
„ The downloaded patch should be checked against any of the
authenticity methods the vendor provides, including checksums, Pretty
Good Privacy (PGP) signatures, and digital certificates
„ A virus scan should also be run on all patches before installation
„ Patches and configuration modifications should be tested on non-
production systems since remediation can easily produce unintended
consequences
„ Determine whether other patches are uninstalled when a particular
patch is installed
„ Test a selection of systems that accurately represent the configuration
of the systems in deployment, since many possible system
configurations exist that the vendor cannot possibly test all of them
„ Before performing the remediation, and especially if there is a lack of
time or resources to perform a test on the patch before employing it on
a production system, learn what experiences others have had in
installing or using the patch
Verifying Remediation
„ Verify that the files or configuration settings the
remediation was intended to correct have been
changed as stated in the vendor’s documentation
„ Scan the host with a vulnerability scanner that is
capable of detecting known vulnerabilities
„ Verify whether the recommended patches were
installed properly by reviewing patch logs
„ Employ exploit procedures or code and attempt to
exploit the vulnerability (i.e., perform a penetration
test)
Enterprise Patching Solutions
„ A central computer manages the patching
across all the machines.
„ Non-agent based : A single computer scans all
computers with administrative privileges
„ Agent based : An agent is installed on each
computer. Agent does the following:
„ Agent either polls a central computer for patches or vice-
versa is done
„ Agent receives instructions from the central computer on
which patches to install and how to install them