Limiting Vulnerability Exposure Through Effective Patch Management: Threat Mitigation Through Vulnerability Remediation

Limiting Vulnerability Exposure Through Effective Patch Management: Threat Mitigation Through Vulnerability Remediation

Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation Submitted in fulfilment of the requirements of the degree MASTER OF SCIENCE in the Department of Computer Science of Rhodes University Dominic Stjohn Dolin White <[email protected]> January 2006 Abstract This document aims to provide a complete discussion on vulnerability and patch management.It looks first at the trends relating to vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and vulnerability management. Understanding these allows the fol- lowing chapters to present both policy and technical solutions to the problem. The policy lays out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, manag- ing risk, strategies for reducing downtime and vulnerability and generating patch metrics. It then discusses how best a vendors should implement a related patch release policy that will allow end-users to most effectively and timeously mitigate vulnerabilities. The next chapter discussed the technical aspect of automating parts of such a policy and how defence in depth can be ap- plied to the field of patch management. The document then concludes that patch management is becoming more difficult and the guidelines described will go a long way into creating a workable and effective means for mitigating exposure to vulnerabilities. However, more research is needed into vulnerabilities, exploits and particularly into threats. Contents 1 Introduction 1 1.1 Backgrounds .................................... 1 1.2 PatchManagement ................................. 3 1.2.1 Definitions ................................. 4 1.3 TheNeedforPatchManagement. ... 6 1.4 Objectives...................................... 7 1.5 Methodology .................................... 8 1.6 Conclusion ..................................... 10 2 Vulnerability and Patch Management 11 2.1 Introduction.................................... 11 2.2 TheVulnerabilityLife-Cycle . ...... 12 2.3 Vulnerabilities,Malware and ExploitationTrends . ............. 16 2.3.1 Increasingnumberofvulnerabilities . ....... 16 2.3.2 Increasingnumberofattacks . ... 18 2.3.3 Exploitwindowshrinking . 21 2 CONTENTS 3 2.4 ProblemswithPatches ............................. .. 22 2.4.1 UnpredictablePatches . 23 2.4.2 TooManyPatches ............................. 24 2.4.3 WindowtoPatchisShrinking . 25 2.4.4 ComplexPatches .............................. 26 2.4.5 Hardtoobtainpatches . 26 2.4.6 ProblemPatchExamples. 28 2.4.6.1 SQLSlammer/SapphireWorm . 28 2.4.6.2 GDI+JPEGVulnerability . 30 2.5 Conclusion ..................................... 31 3 Policy Solutions 33 3.1 Introduction.................................... 33 3.2 PatchManagementPolicy . .. 34 3.2.1 PatchandVulnerabilityGroup . ... 35 3.2.2 Security, Stability, Functionality Patches and Workarounds . 36 3.2.3 Policy.................................... 38 3.2.3.1 InformationGathering. 40 3.2.3.2 RiskAssessment. 47 3.2.3.3 SchedulingandPatchingStrategy . 53 3.2.3.4 Testing.............................. 57 3.2.3.5 Planning&ChangeManagement . 61 CONTENTS 4 3.2.3.6 Deployment,InstallationandRemediation . .... 64 3.2.3.7 Verification&Reporting . 65 3.2.3.8 Maintenance........................... 71 3.2.3.9 Summary............................. 72 3.3 Conclusion ..................................... 73 4 Vendor Patch Release Policy 75 4.1 Introduction.................................... 75 4.2 StateoftheArt ................................... 76 4.3 Ananalysisofpatchschedules . ..... 78 4.3.1 TheDisclosureDebate . 79 4.3.1.1 DelayedDisclosure . 80 4.3.1.2 InstantaneousDisclosure . 81 4.3.2 PatchSchedulesandDelayedDisclosure . ..... 82 4.3.3 Patch Schedules and InstantaneousDisclosure . ......... 83 4.3.3.1 Quality.............................. 84 4.3.3.2 PlannedDeployment . 87 4.3.3.3 Examples ............................ 88 4.3.4 Conclusion ................................. 90 4.4 AdviceforimplementingaPatchReleaseSchedule . .......... 90 4.4.1 DualSchedulesandSeparationCriteria . ...... 91 4.4.2 PredictablePatchReleaseSchedule . ..... 92 CONTENTS 5 4.4.3 CriticalPatchRelease . 94 4.4.4 EncouragingDelayedDisclosure. .... 96 4.5 Conclusion ..................................... 97 5 Practical Solutions 98 5.1 Introduction.................................... 98 5.2 PatchManagementSoftware . ... 98 5.2.1 Functionality and Classification of Patching Tools . ........... 99 5.2.1.1 Notification ...........................103 5.2.1.2 InventoryManagement . .104 5.2.1.3 VulnerabilityScanner . .105 5.2.1.4 PatchTesting. .106 5.2.1.5 PatchPackaging . .107 5.2.1.6 PatchDistribution . .111 5.2.1.7 Reporting ............................111 5.2.1.8 Summary.............................112 5.2.2 Architecture.................................112 5.2.2.1 Agentless ............................112 5.2.2.2 Agent ..............................114 5.2.3 AvailableTools...............................115 5.2.3.1 Evolution ............................115 5.2.3.2 Examples ............................117 CONTENTS 6 5.3 DefenceinDepth .................................. 119 5.3.1 FirewallsandAnti-Virus . 119 5.3.2 IntrusionDetection/PreventionSystems . ........120 5.3.2.1 VirtualPatching . .121 5.3.3 OtherHardening ..............................122 5.3.4 SoftwareSelection . .. .. .. .. .. .. .. .. 122 5.4 Conclusion .....................................124 6 Conclusion 126 6.1 Introduction.................................... 126 6.2 Objectives...................................... 126 6.2.1 Summary ..................................128 6.3 ProblemsandSolutions. 129 6.4 FutureWork.....................................129 6.4.1 ThreatManagement ............................129 6.4.2 VulnerabilityDetailandTrendTracking . .......130 6.4.3 OptimalTimetoPatchforLargeVendors . .130 6.4.4 PatchStandards...............................131 6.5 FinalWord .....................................131 Bibliography 133 References 133 CONTENTS 7 A Time-line of Notable Worms and Viruses 157 A.1 Introduction.................................... 157 A.2 Time-line ......................................157 A.2.1 2006 ....................................157 A.2.2 2005 ....................................157 A.2.3 2004 ....................................158 A.2.4 2003 ....................................158 A.2.5 2001 ....................................159 A.2.6 1999 ....................................159 A.2.7 1998 ....................................160 A.2.8 1995 ....................................160 A.2.9 1992 ....................................160 A.2.101989 ....................................160 A.2.111988 ....................................160 A.2.121987 ....................................160 A.2.131982 ....................................161 B Analysis of WSUS 162 B.1 Introduction.................................... 162 B.2 What’sNew.....................................163 B.3 Installation .................................... 164 B.3.1 Topology ..................................164 CONTENTS 8 B.3.1.1 Default..............................164 B.3.1.2 Grouping.............................164 B.3.1.3 Chaining.............................166 B.3.1.4 ClientDownload. .166 B.3.2 Requirements................................167 B.3.3 Server....................................168 B.3.4 Client....................................169 B.4 Configuration .................................... 169 B.4.1 Server....................................169 B.4.2 ClientSide .................................174 B.5 Patching.......................................177 B.5.1 Synchronisation ..............................177 B.5.2 Approval ..................................177 B.5.3 Detection ..................................179 B.5.4 Distribution.................................180 B.5.5 Installation .................................180 B.5.6 Verification .................................180 B.6 Reporting ......................................180 B.7 PacketCapture ................................... 181 B.7.1 StepsPerformed ..............................181 B.7.2 ResultingNetworkTraffic . 184 CONTENTS 9 B.7.3 Analysis ..................................187 B.7.4 PacketCaptureSummary. 189 B.7.4.1 Interface .............................189 B.7.4.2 Security .............................189 B.8 Resources......................................189 B.9 Conclusion .....................................190 List of Figures 2.1 TheorisedVulnerabilityLife-Cycle[1] . .......... 14 2.2 GeneralisedModelofEmpiricalFindings . ........ 16 3.1 Hypothetical graph of the risk of compromise and patching[2]........... 55 3.2 Patch application and its impact on Availability [3] ................ 56 3.3 DiagramoftheproposedPatchManagementpolicy . ......... 73 4.1 Delayed Disclosure and its effects on vulnerable machines and exploitation Source:ModifiedfromRescorla[4] . .. 81 4.2 Instantaneous Disclosure and its effects on vulnerable machines and exploitation Source:ModifiedfromRescorla[4] . .. 82 5.1 Graphoftheeffectivenessofbinarypatchtools . ...........110 5.2 Graph of the number of vulnerabilities in different Linux kernel versions per year. Source:CVE[5] ..................................124 B.1 DefaultTopology ................................. 165 B.2 GroupedTopology ................................. 165 B.3 ChainedTopology................................. 166 1 LIST OF

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    205 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us