1. Host and Application Security Lesson 22: Patch Management

2. On to more managerial things  The two biggest issues for most users are: Configuration  We have secure software, but the host is configured insecurely… example? Patch management  We have insecure software because we are running an old version

3. Versioning  In principle, very simple  Audit the software you have  Keep it all up to date

4. Vulnerability Lifecycle Software Released Vulnerability Found Exploit released Workaround developed Patch developed

5. Not as easy as it sounds  Patching isn’t always benign  Patching needs to be validated  Knowing what you’re running

6. Patching isn’t benign  Ever tried to upgrade a kernel in gentoo?  Better yet, ever tried to upgrade a module in perl in gentoo with a heavily patched kernel?  RIGHT! Patching, even when given a good patch is sometimes lots of work

7. Patching needs to be validated  You’re running software on an Airbus A330  You want to make a change to deal with a vulnerability…  What are the tradeoffs?  How can we validate?

8. Audit  Figuring out what you need to patch isn’t easy either

9. Solution: Autoupdate?  What are the implications? Benefits? Disadvantages?

10. Solution: Patch Tuesday?  Microsoft has a pretty predictable patch schedule Benefits? Disadvantages?

11. Something you can do  Secunia – wonderful piece of software!

12. Scaling issues  Managing a single machine versus managing a LOT of machines…

13. Penguins versus whatever ms-logo is…  There are fundamental differences between open and closed source Oses currently with regard to patching Discuss

14. To Do  Taking your own machine as an example, figure out what software is on it, what version and what version is current. For each thing found that is out of date, what are the vulnerabilities associated with it? Come up with your own plan for managing software on your machine and document it.