Monday, April 30, 2012

Patch Management the Easy Way

by Casper Manes on behalf of GFI Software Ltd.

Patching is one of the most critical system admin activities, but it is also one of the most frequently neglected. The stated reasons may vary, but usually come down to a simple lack of patch management strategy, and an application to make patching easy. To get from bad/non-existent patching strategy to sound and successful patch management strategy, like so many others, starts with a single step.

Decide patch management is important
IT needs to patch, but they also have to want to patch. It’s far too easy to push patching off, especially when most patches require reboots, and no one wants to stay up until 3AM on a Saturday. Security needs to patch, since many exploits take advantage of flaws that have been patched. Management needs to patch since patched systems are more stable and reliable, and have better performance against SLAs. Everybody knows patching is important, so you all need is to agree to it, and senior management needs to support that. With senior management support’s go ahead, the rest of the steps are easy.

Implement a patch management solution
That senior management support must include funding for a patch management solution. One of the biggest reasons why patching is so painful to many is because they try to do it manually, or with a combination of Windows Server Update Services (WSUS) and scripts, or other home-grown solutions. A good patch management solution can automate all the work, letting you approve and schedule patching, and then just check on status when it’s done.

Include third-party applications
Patching operating systems, but not third-party applications, is like locking all the windows and leaving the front door open. It’s the applications that are what the users interact with, and that process data submitted from the web, and these must be patched just as diligently as your operating systems. Good patch management solutions can patch third party apps just as easily as operating systems.

Commit to testing
The vendors do a lot to test their patches, but ultimately it is your responsibility to test patches before deploying them. Testing requires users to run patches on their workstations, and on test versions of your application servers, and to run things through their paces to ensure there are no issues. Senior management needs to allocate resources to perform this testing each month. Your patch management app should be able to deploy patches to a set of test machines to make it easier to evaluate patches before pushing them to all of production.

Have a way to rollback
Even with testing it’s possible to encounter an issue with a patch, so make sure your patch management solution can automate the rollback of a patch.

Assess, log, report and audit
The biggest risk with manually patching is that something will be missed. Patch management applications should be able to assess all systems, log all patching, generate scheduled and on-demand reports, and you need to audit these to ensure all machines are patched and compliant.

Respect the window
Establish a patching window and make sure everyone knows what that is. Make that window one that takes priority over other actions, and set the expectation that the business will have to work around patching, and not vice-versa. Again, you will need senior management support to get this through, but you don’t want to delay critical security patches just because the marketing team wants to update the content of the website.

Patch with confidence
With a good patch management application, the support of senior management, a sound testing plan, and windows where you are able to patch, proceed with confidence. Patching is a good thing and shouldn’t be a cause of pain or suffering. Leave that for when patches are missed, because it’s a safe bet that if you miss a critical patch, the pain and suffering will come.

If your IT organization and senior management see that patching is important, advocate patching within the organization, allocate a modest amount of resources to patching, and then set the expectation that patching will be done, you will soon find that patching is a normal and easy part of systems administration activities. Take that first step with your patch management process and you will be well on your way.

For more on patch management, see Security Patch Management.

Tuesday, April 24, 2012

Tech groups push for cyberthreat information-sharing bill. Great idea. It's worked real well with Federal agencies.

So, now industry wants Congress to legislate what it won't do volunarily. So far, there's as much trust between companies as there is between government agencies. They're all willing for a one-way exchange. This isn't going to change in government, and it won't in industry. Which reminds me. Didn't Congress legislate sharing between agencies? That's working real well, isn't it.

Monday, April 23, 2012

Mac trojan fallout: Apple security glory days gone?

There are cults in IT. UNIX is one; Macs is another. These cultists fervently believe their OS is superior to others, and, by extension, they're superior to everyone else.

When it comes to vulnerability to attacks, though, UNIX was always an easy target. Macs are so safe and secure. Of course, until recently there weren't many of them, and they weren't in the enterprise, and so they were not as attractive a target as, say, Windows. Now that there are more Macs, making them an attactive target, the myth is staring to explode. Still, zealots being zealots, all's right in their world. Koolaid anyone?

Friday, April 20, 2012

"You can't patch stupid." House committees approve 2 cybersecurity bills

One of the best phrases I've heard lately is, "You can't patch stupid." This speaks to the ongoing threats to security posed by users. Now it appears that Congress again is trying to legislate what can't be fixed by legislation. I think "You can't patch stupid" is more easily applied to Congress.

Thursday, April 19, 2012

PWC Survey: "... majority of executives ... are confident in the effectiveness of their organization’s information security practices."

According to the results of the 2012 Global State of Information Security Survey®, the majority of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices.

Doesn't this fly in the face of fact? With reported breaches on the rise, and fears of fraud, APTs, and supply chain security, among other threats, increasing, why are these executives so confident?

Friday, April 6, 2012

Hurrah! There's a silver bullet for information security

Gene Spafford was supposed to give the Infosecworld opening keynote, but called in sick. He was replaced by Dave Kennedy. He started by restating the obvious, that we're throwing hardware, software, consultants, and ineffective pentesting at the problem and none of it is working. He described some interesting attacks, cloned a Website, discussed some social engineering attacks using information from LinkedIn and Facebook to impersonate an employee, and recounted connecting a device inside a keyboard that generated information to own the system. Then he said effective pentesting is the key to information security, and that the usual pentestsm are useless. I don't know how much distance there was between him as pentesting evangelist and salesman for his employer's Diebold's pentest practice. Kennedy is employed by Diebold and conducts pentests for a living. It sounded as though the only one who conduct pentests correctly is Diebold. (Kennedy's also involved in the Penetration Testing Execution Standard (PTES).)

While it's a reach to think that pentesting is the be all and end all of infosec, later in the conference a panel discussion between some enfants terrible made a different claim. After telling the audience that it was stupid and ineffective, they said that the solutions to the problem lie in hiring smart people, thinking outside the box, and reading log files.

A general theme was that risk trumped infosec; that is, determine what most needs to be protected, then protect it, rather than trying to protect everything. There's a trend toward the creation of Chief Risk Officers, with infosec reporting to them instead of CIOs, thereby removing some conflict of interest. Awareness continues to be important because "There's no patch for stupid." Good luck with that one.