Patch management: increasingly a facet of effective risk management Marcus alldrick Securelondon conference, 28 jUly 2009.

Slides:

Advertisements

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Advertisements

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

1 Telstra in Confidence Managing Security for our Mobile Technology.

The State of Security Management By Jim Reavis January 2003.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Computer Security: Principles and Practice

1 Secure Your Business PATCH MANAGEMENT STRATEGY.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

SiteLock Internet Security: Big Threats for Small Business.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Introduction to Network Defense

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

CERN’s Computer Security Challenge

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

© British Telecommunications plc BT Managed Services Innovate

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

Chapter 6 of the Executive Guide manual Technology.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

CUTTING COMPLEXITY – SIMPLIFYING SECURITY INSERT PRESENTERS NAME HERE XXXX INSERT DATE OF EVENT HERE XXXX.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

Microsoft Management Seminar Series SMS 2003 Change Management.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Security fundamentals Topic 1 Addressing security threats and vulnerabilities.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

Computer Security By Duncan Hall.

Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

MIS323 – Business Telecommunications Chapter 10 Security.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

By: Matthew Newsome.  The Internet was created so the US Department of Defense can share information between each other, which took place in the 1960’s.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Amol Sarwate Director of Vulnerability Labs, Qualys Inc State of Vulnerability Exploits.

Proactive Incident Response

Shadow Brokers – Details on Leaked Cyberintelligence Tools and Vulnerabilities A brief research note for Info-Tech’s members.

Cybersecurity - What’s Next? June 2017

Building A Security Program From The Ground Up

Patch Management Patch Management Best Practices

Compliance with hardening standards

Determined Human Adversaries: Mitigations

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Unit 1.6 Systems security Lesson 2

Brute force attacks, DDOS, Botnet, Exploit, SQL injection

How to Mitigate the Consequences What are the Countermeasures?

Determined Human Adversaries: Mitigations

Agenda The current Windows XP and Windows XP Desktop situation

6. Application Software Security

Presentation transcript:

Patch management: increasingly a facet of effective risk management Marcus alldrick Securelondon conference, 28 jUly 2009

© Lloyd’spatch management SecureLondon 0709 v012 IF the attacker has a greater understanding of its target then it has the advantage

© Lloyd’spatch management SecureLondon 0709 v013 Criminal attackers are now driven by monetization cost and profitability

© Lloyd’spatch management SecureLondon 0709 v014 Patching and other protective measures increases attackers’ monetization cost and reduces their profitability

© Lloyd’spatch management SecureLondon 0709 v015 Trends Continued rapid evolution of attack strategies / sophistication Web applications increasingly vulnerable and targeted Decrease in mass mailing viruses and worms Trojans increasing, notably in data stealing malware 2007: 52%, 2008: 87%, Q109 93% Source: TrendLabs, 2009 Multiple threat vectors employed, e.g. PDFs, Flash multimedia, Java Motivation predominantly illicit economic gain More financial investment in vulnerability exploitation due to ROI Intellectual property emerging as the target Zero day vulnerabilities increasing Difficult education messages to business and customers, persist

© Lloyd’spatch management SecureLondon 0709 v016 Trends cont. 5,491 vulnerabilities in 2008, 19% increase on 2007 High severity vulnerabilities decreased from 4% to 2% in 2008 Medium vulnerabilities increased from 61% to 67% in % of vulnerabilities classified as easily exploitable (74% in 2007) 63% of vulnerabilities affected Web applications (59% in 2007) Mozilla browsers:99 vulnerabilities Internet Explorer:47 Apple Safari:40 Opera:35 Google Chrome:11 XSS, SQL injection and file include vulnerabilities predominate 95% of attacked vulnerabilities were client-side, 5% server-side Source: Symantec Global Internet Security Threat Report, 2009

© Lloyd’spatch management SecureLondon 0709 v017 SC Magazine The Guardian DarkReading.com "The days of people doing this because they're bored are mostly over. We would expect that the person who controls this thing will try to auction off parts of the network that they have created." Thomas Cross IBM ISS Microsoft offers $250,000 bounty for authors of the Conficker worm SC Magazine Top exploitation: Conficker

© Lloyd’spatch management SecureLondon 0709 v018 Top 10 Vendors with the most vulnerability disclosures RankingVendorDisclosures 1Microsoft3.16% 2Apple3.04% 3Sun2.19% 4Joomla!2.07% 5IBM2.00% 6Oracle1.65% 7Mozilla1.43% 8Drupal1.42% 9Cisco1.23% 10TYPO31.23% Source: X-Force 2008 Trend & Risk Report, IBM, 2009

© Lloyd’spatch management SecureLondon 0709 v019 Top 10 operating systems with the most vulnerabilities reported RankingVendorDisclosures 1Apple Mac OS X Server14.3% 1Apple Mac OS X14.3% 3Linux Kernel10.9% 4Sun Solaris7.3% 5Microsoft Windows XP5.5% 6Microsoft Windows 2003 Server5.2% 7Microsoft Windows Vista5.1% 8Microsoft Windows % 9Microsoft Windows % 10IBM AIX3.7% Source: X-Force 2008 Trend & Risk Report, IBM, 2009

© Lloyd’spatch management SecureLondon 0709 v0110 Recent surveys Technology is one of the highest priorities for companies yet many companies do not know what risks they now face 47% of surveyed European companies use vulnerability scanning tools Source: The Global State of Information Security Survey, % of respondents conduct vulnerability scanning at least annually Both emerging technology and increasing sophistication of threats seen as less of a barrier last year compared to 2007 ~70% saw inadequate Patch Management as a medium/high issue Virus & worm attacks, attacks and phishing/pharming dominate Source: Protecting what matters, The 6 th Annual Global Security Survey, Deloitte, 2009 Economic distress will exacerbate the situation Security seen as a cost and therefore at risk of reduction Increased opportunity and incentive for attackers

© Lloyd’spatch management SecureLondon 0709 v0111 Main consequences of exploitation ConsequenceDescription Bypass security Circumvention of security measures, e.g. firewall, proxy, IDS/IPS, anti-malware defences Data manipulation Manipulation of data used/stored by host and used by service or application Denial of Service Crash/disrupt a service or system to take down a network File manipulation Create, delete, modify, overwrite or read files Gain access Obtain local/remote access including execution of code/commands Gain privileges Obtain local privileges Obtain information Obtain file and path names, source code, passwords, configuration details, etc.

© Lloyd’spatch management SecureLondon 0709 v0112 Reactive remediation Malware infection and system failure remain the incident types that require most staff time to fix 7% of infections took man days to recover 1% of infections took >100 man days Source: Information Security Breaches Survey 2008, BERR

© Lloyd’spatch management SecureLondon 0709 v0113 Constraints Patch overload Different builds Complexity of patches Device connectivity Resource constraints Testing timescales Testing infrastructure Application dependency Lack of / inadequate asset inventories Lack of / inadequate configuration management Scheduling / downtime / business impact

© Lloyd’spatch management SecureLondon 0709 v0114 Patch Management process Identify Patch & Vuln. Assess risk of Vuln. Perform Impact analysis Test Patch Pilot Patch Roll-out Patch Patch rest of devices Review and Report

© Lloyd’spatch management SecureLondon 0709 v0115 Vulnerability Management Security alerts – proactive Patch management - preventative Security incidents – reactive / curative Vulnerability assessment – indicative monitoring Security Alert Management Patch Management Incident Management Vulnerability Assessment Vulnerability Management

© Lloyd’spatch management SecureLondon 0709 v0116 ITIL V3 Process Summary Service Operation Event Management Incident Management Problem Management Service Strategy Business Requirements IT Policies & Strategies Service Transition Change Management Asset & Config Mgmt Service Design Service Level Mgmt Availability Mgmt Info Security Mgmt Patch Management

© Lloyd’spatch management SecureLondon 0709 v0117 Key considerations Mandate through agreed Patch Management strategy and policy Senior Management buy-in and support essential Conflicts between patching and business operations must be resolved Schedule patch activity as BAU but allow for emergencies Prioritise patches based on risk to organisation Implement standard builds Reduce local admin privileges Maintain asset inventories / configuration management Consider application whitelisting Formulate integrated process and automate wherever possible Allocate adequate resource, both management and line

© Lloyd’spatch management SecureLondon 0709 v0118 To summarise….. Patch management is increasingly business critical given reliance on technology infrastructure Should be proactive and preventative, not reactive and curative Business impact reduction from a risk perspective should be key driver Key is understanding the motivation, opportunity and risk to the attacker Should be viewed as part of a bigger picture, an integrated process Supported by defence in depth strategies Automated tools are essential but so are the right people Knowledge is power: know your vulnerabilities and where they are End user estates increasingly as important as server estates Flexibility and agility is crucial

© Lloyd’spatch management SecureLondon 0709 v0119