Patch Management Patch Management Best Practices Steve Thamasett, CISSP, MCSE, NSA IAM November 7, 2003

Agenda Current Patch Management Situation State of connected devices / users Spread rate for Code Red Business Drivers and Challenges Lost revenue due to downtime The INS Solution Process based Patch Management Service Features & Benefits Phase by phase descriptions Case Study

Current Situation Industry Security 14B devices on the Internet by 20101 35M remote users by 20052 65% increase in Web sites3 90% detected security breaches4 85% detected computer viruses4 95% of all breaches avoidable with an alternative configuration5 Security 1 Source: Forrester Research 2 Source: Information Week, 26 November 2001 3 Source: Netcraft summary 4 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 5 Source: CERT, 2002

Code Red Virus Infection July 19, 2001 00:00 – 159 hosts infected

Code Red Virus Infection 12 hours later – 4,920 hosts infected

Code Red Virus Infection 12 hours later (24 total) – 341,015 hosts infected JANUARY 2003 SQL SLAMMER WORM: same spread in TEN MINUTES

Business Drivers New vulnerabilities released daily Widespread publicly leads to releases of exploits Vendors must provide quick turnaround on patches

Business Challenges Internet facing systems typically patched first Two fundamental past assumptions: The threat of attack from insiders is less likely and more tolerable than the threat of attack from outsiders. A high degree of technical skill is required to successfully exploit vulnerabilities, making the probability of attack unlikely. Threat profile and potential risks have increased Viruses can now be delivered through common entry points, automatically executed, and then search for exploitable vulnerabilities on other platforms.

Our Business-Centric Approach Patch Management is a Process, not a Tool Links Business Imperatives to Network Solutions Quantify value of new initiatives Optimize existing infrastructure Identify best-of-breed solutions Employ proven best practices and methodologies Collaborative infrastructure and culture to multiply consultant value Knowledge transfer for sustainable results Formal quality program from initiation to close-out

The INS Solution Patch Management Service Facilitate and establish a patch management process Plan and design a comprehensive patch management process Assist in the Implementation of the process

Patch Management - Features Network Device and Host Inventory Determines your organization’s network and host inventory. A clear understanding of the devices and hosts within the organizations infrastructure must be defined and inventoried.

Patch Management - Features Network Device and Host Assessment Maps your IT infrastructure to the patch management process. Suggested patch management solutions based upon findings

Patch Management - Features Patch Monitoring and Discovery Builds the procedures for monitoring patches as they are released. Includes monitoring of all appropriate security intelligence sources required to identify any exposures or vulnerabilities that may impact the organization.

Patch Management - Features Patch Evaluation Investigate, evaluate and test patches in accordance with business objectives, security and IT operational goals. Generation of a formal plan and documentation to govern the testing based on the type of system and vulnerability

Patch Management - Features Patch Implementation Develop tools and templates to integrate with your change management policy. Develop the standard Security Advisory template Develop the procedures for the patch to go from testing, to implementation, including updating standard builds as needed.

Patch Management - Features Patch Maintenance Develop tracking and reporting mechanisms Develop security awareness processes

Patch Management – INS Expertise Strength of Security, Operating Systems, and Network and Systems Management consulting expertise Successful track record INS has the expertise and business-focused methodology to identify and quantify operational risk, engineer the right management and delivery process, and align quantifiable results to our customers’ business goals

Patch Management - Benefits Proactively identify and remediate IT security vulnerabilities Focuses IT and security on the right set of problems to address Improved service performance and availability by optimizing business and systems processes Adds value to ongoing business initiatives, business continuity, reducing operating costs, and security mandates

Patch Management - Deliverables Executive summary report A patch management process Recommendations and a plan for implementing a patch management process Plan for maintaining the patch management process lifecycle Client Engagement Book Knowledge transfer

CS: Patch Management Government contractor in healthcare space DITSCAP and HIPAA concerns Server / Workstation profile One primary datacenter (~50 Wintel servers) 25-30 remote locations (1-3 Wintel servers each) ~1000 seats total (Wintel platform) Requirements Server / workstation hardening Process for maintaining secure environment DoD oversight for security Periodic network and system scans Review of process and procedures

CS: Patch Management Discovery Phase Assessment Phase Network scans using ISS System scans with HFNetChk / MBSA Assessment Phase System scans with SRR scanner Issues with “vendor provided” systems Patch Monitoring / Evaluation Phase Development of regular list monitoring Developed lab for testing Patch Implementation Phase Change management process Patch evaluation and deployment process

Customer-centric, business-driven approach The INS Advantage Customer-centric, business-driven approach Our primary approach is to relate technology strategies to business objectives We employ our highly documented Business Value Justification (BVJ) methodology throughout each engagement to ensure that measurable business value is delivered in terms of increased productivity, cost avoidance, asset protection, and business enablement. Our team works side-by-side with our customer’s team to develop tailored solutions that meet their objectives We focus on knowledge transfer to ensure that your staff becomes self-sufficient quickly

The INS Difference Vendor independence Business-centric focus Optimal solutions to build, manage, and secure your network Business-centric focus Link business imperatives to network solutions Experience 15,000+ engagements Expertise 1,200 certifications in 96 categories Mature support systems KnowledgeNet Quality assurance program Collaborative culture Engage one, get the “team”

Thank you Steve Thamasett, CISSP, MSCE, NSA IAM Email: steve.thamasett@ins.com Web: www.ins.com