Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patch management: increasingly a facet of effective risk management Marcus alldrick Securelondon conference, 28 jUly 2009.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Patch management: increasingly a facet of effective risk management Marcus alldrick Securelondon conference, 28 jUly 2009."— Presentation transcript:

1 Patch management: increasingly a facet of effective risk management Marcus alldrick Securelondon conference, 28 jUly 2009

2 © Lloyd’spatch management SecureLondon 0709 v012 IF the attacker has a greater understanding of its target then it has the advantage

3 © Lloyd’spatch management SecureLondon 0709 v013 Criminal attackers are now driven by monetization cost and profitability

4 © Lloyd’spatch management SecureLondon 0709 v014 Patching and other protective measures increases attackers’ monetization cost and reduces their profitability

5 © Lloyd’spatch management SecureLondon 0709 v015 Trends Continued rapid evolution of attack strategies / sophistication Web applications increasingly vulnerable and targeted Decrease in mass mailing viruses and worms Trojans increasing, notably in data stealing malware 2007: 52%, 2008: 87%, Q109 93% Source: TrendLabs, 2009 Multiple threat vectors employed, e.g. PDFs, Flash multimedia, Java Motivation predominantly illicit economic gain More financial investment in vulnerability exploitation due to ROI Intellectual property emerging as the target Zero day vulnerabilities increasing Difficult education messages to business and customers, persist

6 © Lloyd’spatch management SecureLondon 0709 v016 Trends cont. 5,491 vulnerabilities in 2008, 19% increase on 2007 High severity vulnerabilities decreased from 4% to 2% in 2008 Medium vulnerabilities increased from 61% to 67% in 2008 80% of vulnerabilities classified as easily exploitable (74% in 2007) 63% of vulnerabilities affected Web applications (59% in 2007) Mozilla browsers:99 vulnerabilities Internet Explorer:47 Apple Safari:40 Opera:35 Google Chrome:11 XSS, SQL injection and file include vulnerabilities predominate 95% of attacked vulnerabilities were client-side, 5% server-side Source: Symantec Global Internet Security Threat Report, 2009

7 © Lloyd’spatch management SecureLondon 0709 v017 SC Magazine The Guardian DarkReading.com "The days of people doing this because they're bored are mostly over. We would expect that the person who controls this thing will try to auction off parts of the network that they have created." Thomas Cross IBM ISS www.bbc.co.uk/news Microsoft offers $250,000 bounty for authors of the Conficker worm SC Magazine Top exploitation: Conficker

8 © Lloyd’spatch management SecureLondon 0709 v018 Top 10 Vendors with the most vulnerability disclosures RankingVendorDisclosures 1Microsoft3.16% 2Apple3.04% 3Sun2.19% 4Joomla!2.07% 5IBM2.00% 6Oracle1.65% 7Mozilla1.43% 8Drupal1.42% 9Cisco1.23% 10TYPO31.23% Source: X-Force 2008 Trend & Risk Report, IBM, 2009

9 © Lloyd’spatch management SecureLondon 0709 v019 Top 10 operating systems with the most vulnerabilities reported RankingVendorDisclosures 1Apple Mac OS X Server14.3% 1Apple Mac OS X14.3% 3Linux Kernel10.9% 4Sun Solaris7.3% 5Microsoft Windows XP5.5% 6Microsoft Windows 2003 Server5.2% 7Microsoft Windows Vista5.1% 8Microsoft Windows 20004.8% 9Microsoft Windows 20084.1% 10IBM AIX3.7% Source: X-Force 2008 Trend & Risk Report, IBM, 2009

10 © Lloyd’spatch management SecureLondon 0709 v0110 Recent surveys Technology is one of the highest priorities for companies yet many companies do not know what risks they now face 47% of surveyed European companies use vulnerability scanning tools Source: The Global State of Information Security Survey, 2008 65% of respondents conduct vulnerability scanning at least annually Both emerging technology and increasing sophistication of threats seen as less of a barrier last year compared to 2007 ~70% saw inadequate Patch Management as a medium/high issue Virus & worm attacks, email attacks and phishing/pharming dominate Source: Protecting what matters, The 6 th Annual Global Security Survey, Deloitte, 2009 Economic distress will exacerbate the situation Security seen as a cost and therefore at risk of reduction Increased opportunity and incentive for attackers

11 © Lloyd’spatch management SecureLondon 0709 v0111 Main consequences of exploitation ConsequenceDescription Bypass security Circumvention of security measures, e.g. firewall, proxy, IDS/IPS, anti-malware defences Data manipulation Manipulation of data used/stored by host and used by service or application Denial of Service Crash/disrupt a service or system to take down a network File manipulation Create, delete, modify, overwrite or read files Gain access Obtain local/remote access including execution of code/commands Gain privileges Obtain local privileges Obtain information Obtain file and path names, source code, passwords, configuration details, etc.

12 © Lloyd’spatch management SecureLondon 0709 v0112 Reactive remediation Malware infection and system failure remain the incident types that require most staff time to fix 7% of infections took 11-50 man days to recover 1% of infections took >100 man days Source: Information Security Breaches Survey 2008, BERR

13 © Lloyd’spatch management SecureLondon 0709 v0113 Constraints Patch overload Different builds Complexity of patches Device connectivity Resource constraints Testing timescales Testing infrastructure Application dependency Lack of / inadequate asset inventories Lack of / inadequate configuration management Scheduling / downtime / business impact

14 © Lloyd’spatch management SecureLondon 0709 v0114 Patch Management process Identify Patch & Vuln. Assess risk of Vuln. Perform Impact analysis Test Patch Pilot Patch Roll-out Patch Patch rest of devices Review and Report

15 © Lloyd’spatch management SecureLondon 0709 v0115 Vulnerability Management Security alerts – proactive Patch management - preventative Security incidents – reactive / curative Vulnerability assessment – indicative monitoring Security Alert Management Patch Management Incident Management Vulnerability Assessment Vulnerability Management

16 © Lloyd’spatch management SecureLondon 0709 v0116 ITIL V3 Process Summary Service Operation Event Management Incident Management Problem Management Service Strategy Business Requirements IT Policies & Strategies Service Transition Change Management Asset & Config Mgmt Service Design Service Level Mgmt Availability Mgmt Info Security Mgmt Patch Management

17 © Lloyd’spatch management SecureLondon 0709 v0117 Key considerations Mandate through agreed Patch Management strategy and policy Senior Management buy-in and support essential Conflicts between patching and business operations must be resolved Schedule patch activity as BAU but allow for emergencies Prioritise patches based on risk to organisation Implement standard builds Reduce local admin privileges Maintain asset inventories / configuration management Consider application whitelisting Formulate integrated process and automate wherever possible Allocate adequate resource, both management and line

18 © Lloyd’spatch management SecureLondon 0709 v0118 To summarise….. Patch management is increasingly business critical given reliance on technology infrastructure Should be proactive and preventative, not reactive and curative Business impact reduction from a risk perspective should be key driver Key is understanding the motivation, opportunity and risk to the attacker Should be viewed as part of a bigger picture, an integrated process Supported by defence in depth strategies Automated tools are essential but so are the right people Knowledge is power: know your vulnerabilities and where they are End user estates increasingly as important as server estates Flexibility and agility is crucial

19 © Lloyd’spatch management SecureLondon 0709 v0119

Download ppt "Patch management: increasingly a facet of effective risk management Marcus alldrick Securelondon conference, 28 jUly 2009."

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Similar presentations

Ads by Google