Dynamics of (in)security Operational Excellence Webinar Series Patch Management Dynamics of (in)security ReBIT in collaboration with Sequretek & Kotak Bank http://webinar.rebit.org.in Webinar support from Cisco

Information Security Governance, Kotak Agenda Anand Naik Co-CEO of Sequretek Patch and Vulnerability Management Best Practice Ninad Chavan Information Security Governance, Kotak Case Study at Kotak Agnelo D’souza CISO Kotak Moderator Vivek Srivastav SVP-R&I, ReBIT Agenda: ReBIT’s Industry Initiatives Stats on Patching Security Vocabulary Patch and Vulnerability Management Best Practices Case Study at Kotak Bank Q/A Sessions

ReBIT’s Industry Initiatives Securing the Financial Sector

ReBIT’s Facilitator Role Business Leader’s - Forum Industry Stakeholders Research Institutions Community Leadership - WG Operational Excellence

ReBIT’s Industry Initiatives Cybersecurity Assessment Tools VAPT Accreditation Body Auditing and Monitoring Tools Regulatory Technologies & Reporting Operational Excellence Webinar (monthly): Industry initiatives to improve cybersecurity postures DMARC Webinar - with PayPal & ICICI Bank – May 11th Patch Management – Dynamics of (in)security – July 4th Upcoming - FIDO DNSSEC & DNS Governance IR Cybersecurity Awareness Campaign Business Leader’s Forum Cybersecurity Assessment Framework WG Auditing and Monitoring Cybersecurity Maturity Model - WG 6-months effort: Kicked off in Feb, ongoing industry initiative to define a uniform yardstick to assess a firm’s cybersecurity maturity, benchmark and help create evolution roadmap

Vulnerability and Patch Management Some statistics

Patching Vulnerability Recent incident of Petya/NotPetya and WannaCry underscores the importance of Patch Management 77% of the total vulnerabilities are because of either poor patching or poor configuration Heartbleed: http://heartbleed.com Shellshock: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 LogJam: https://en.wikipedia.org/wiki/Logjam_(computer_security) Edgescan 2016 Stats Report

How fast are we fixing vulnerabilities? The vulnerabilities discovered are a result of providing “Fullstack” continuous vulnerability management to a wide range of client verticals; from Small Businesses to Global Enterprises, From Telecoms & Media companies to Software Development, Gaming, Energy and Medical organisations. The statistics are based on the continuous security assessment & management of over 57,000 systems distributed globally. Edgescan 2016 Stats Report

Median number of days for vulnerability exploit Source: Recorded Future - Week to Weak: The Weaponization of Cyber Vulnerabilities, 2014

Talk about security like a pro Security Vocabulary Talk about security like a pro Source attribution: Cisco

“What do you mean, vulnerable? It works the way I designed it to!” Vulnerability Vulnerability A weakness, design or coding error, or lack of protection in a product that enables an attack. “What do you mean, vulnerable? It works the way I designed it to!” Lack of protection against code injection Mishandling of unexpected conditions Insufficient enforcement of authentication and authorization A product that has safeguards in place to protect against a given threat is considered to be secured, but only against that specific threat. A vulnerability is any weakness or absence of protection that may be exploited to bypass the product’s security. For example, a vulnerability could come from the way the product handles a threat that was never identified, and for which the product has no safeguards. Vulnerabilities might exist for many reasons. In some cases there might be a vulnerability because the threat was never identified, so the product couldn’t be designed with a countermeasure against it. In other cases, a product might not have been thoroughly tested and gone through a secure development and design process, and so that product doesn’t implement robust security against known threats.

Threats Threat A potential danger that could cause harm to information or a system Product Threat Agent Threat Agent An entity that exploits a threat A threat is an event that could cause harm to a system or the information contained in a system. Threats can come from multiple sources including physical events, logical problems in software, and human actions.

“Exploits and attacks go hand in hand…” A practical method to take advantage of a specific vulnerability Attack The use of an exploit against an actual vulnerability Attack Vector A theoretical application of an exploit “Exploits and attacks go hand in hand…” Zero-Day Attack An attack that exploits a previously unknown vulnerability for which there is not yet a defense An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious code. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. An exploit is a process or program that takes advantage of an potential vulnerability to compromise a system. A physical example of this would be the vulnerability of locks to being picked. Locks are designed in a predictable way, and a set of lockpicking tools along with the knowledge of how to use them is an exploit against a lock. Exploits in the computer world behave in a similar way. If a piece of code predictably provides a way for an unauthorized user to gain access to a system, that access method and information on how to use it would represent a predictable and repeatable danger to the system. Any time such an exploit is used, the incident is known as an attack. A zero-day attack is an attack or threat that exploits a previously unknown vulnerability, meaning that the attack occurs on "day zero" of awareness of the vulnerability. This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.

Exposure Close calls still count! The probability and severity of an attack using a specific exploit Time between the announcement of a vulnerability and a suitable patch Any information leak that facilitates an attack Close calls still count! Whether or not an attack is successful, an exposure has still occurred. When an exploit is used to take advantage of a vulnerability and launch an attack against a product, that incident is known as an exposure. The fortunate goose in this picture escaped the alligator’s snapping teeth, but he had an extremely close call. The potential harm harm to the goose if he’d flown a little lower and not managed to escape is known as the exposure factor. In business terms this is the the potential percentage of loss to an asset if a threat is realized. NEED PICTURE: Plumber hanging over, exposed → cartoon form.

Mitigation A few examples… Reduction in attack surface A strategy for reducing or eliminating the severity of a security issue A few examples… Reduction in attack surface Security education and training Defensive coding Secure code review PI (Platform Independent) code Run time defenses Security features (encryption, packet filtering, logging) When designing a product it is important to identify the potential threats to the product’s security and implement protections to reduce or mitigate the risk from threats. These protections are commonly known as countermeasures or safeguards. A countermeasure can be an action, device, or procedure that reduces, eliminates, or prevents harm from an attack, or discovers and reports on an attack after the fact. In short, a countermeasure is the deployment of a set of security services, including but not limited to the ones listed here, designed to protect against a specific threat. Countermeasures can be network, host, or application based. For example, a company might want to implement countermeasures against a network information gathering attack meant to find out what kind of hosts they have on their network. They could configure their routers to restrict their responses to footprinting requests, and configure operating systems that host network software (for example, software firewalls) to prevent footprinting by disabling unused protocols and unnecessary ports. If that same company wanted to implement countermeasures to protect their individual hosts against viruses and inappropriate logons, they would want to make sure their hosts had all the current security patches for the operating system. They might also install antivirus and firewall software. Additionally, they would likely establish and enforce a security policy requiring that all user passwords be changed regularly. Application level countermeasures are commonly implemented during the design phase of a product and will be covered most frequently in the Security Ninja courses. These include things like secure software development, robust vulnerability mapping and testing. We will cover more on application countermeasures later in this presentation.

Vulnerability and Patch Management Mitigation Mitigation A strategy for reducing or eliminating the severity of a security issue And the most important Vulnerability and Patch Management When designing a product it is important to identify the potential threats to the product’s security and implement protections to reduce or mitigate the risk from threats. These protections are commonly known as countermeasures or safeguards. A countermeasure can be an action, device, or procedure that reduces, eliminates, or prevents harm from an attack, or discovers and reports on an attack after the fact. In short, a countermeasure is the deployment of a set of security services, including but not limited to the ones listed here, designed to protect against a specific threat. Countermeasures can be network, host, or application based. For example, a company might want to implement countermeasures against a network information gathering attack meant to find out what kind of hosts they have on their network. They could configure their routers to restrict their responses to footprinting requests, and configure operating systems that host network software (for example, software firewalls) to prevent footprinting by disabling unused protocols and unnecessary ports. If that same company wanted to implement countermeasures to protect their individual hosts against viruses and inappropriate logons, they would want to make sure their hosts had all the current security patches for the operating system. They might also install antivirus and firewall software. Additionally, they would likely establish and enforce a security policy requiring that all user passwords be changed regularly. Application level countermeasures are commonly implemented during the design phase of a product and will be covered most frequently in the Security Ninja courses. These include things like secure software development, robust vulnerability mapping and testing. We will cover more on application countermeasures later in this presentation.

Patch Management Best Practices Deep Dive

http://webinar.rebit.org.in ReBIT Operational Excellence Webinar Series Patch Management - Dynamics of (in)security http://webinar.rebit.org.in Visit for future webinars and events