Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation Submitted in fulfilment of the requirements of the degree MASTER OF SCIENCE in the Department of Computer Science of Rhodes University Dominic Stjohn Dolin White <[email protected]> January 2006 Abstract This document aims to provide a complete discussion on vulnerability and patch management.It looks first at the trends relating to vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and vulnerability management. Understanding these allows the fol- lowing chapters to present both policy and technical solutions to the problem. The policy lays out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, manag- ing risk, strategies for reducing downtime and vulnerability and generating patch metrics. It then discusses how best a vendors should implement a related patch release policy that will allow end-users to most effectively and timeously mitigate vulnerabilities. The next chapter discussed the technical aspect of automating parts of such a policy and how defence in depth can be ap- plied to the field of patch management. The document then concludes that patch management is becoming more difficult and the guidelines described will go a long way into creating a workable and effective means for mitigating exposure to vulnerabilities. However, more research is needed into vulnerabilities, exploits and particularly into threats. Contents 1 Introduction 1 1.1 Backgrounds .................................... 1 1.2 PatchManagement ................................. 3 1.2.1 Definitions ................................. 4 1.3 TheNeedforPatchManagement. ... 6 1.4 Objectives...................................... 7 1.5 Methodology .................................... 8 1.6 Conclusion ..................................... 10 2 Vulnerability and Patch Management 11 2.1 Introduction.................................... 11 2.2 TheVulnerabilityLife-Cycle . ...... 12 2.3 Vulnerabilities,Malware and ExploitationTrends . ............. 16 2.3.1 Increasingnumberofvulnerabilities . ....... 16 2.3.2 Increasingnumberofattacks . ... 18 2.3.3 Exploitwindowshrinking . 21 2 CONTENTS 3 2.4 ProblemswithPatches ............................. .. 22 2.4.1 UnpredictablePatches . 23 2.4.2 TooManyPatches ............................. 24 2.4.3 WindowtoPatchisShrinking . 25 2.4.4 ComplexPatches .............................. 26 2.4.5 Hardtoobtainpatches . 26 2.4.6 ProblemPatchExamples. 28 2.4.6.1 SQLSlammer/SapphireWorm . 28 2.4.6.2 GDI+JPEGVulnerability . 30 2.5 Conclusion ..................................... 31 3 Policy Solutions 33 3.1 Introduction.................................... 33 3.2 PatchManagementPolicy . .. 34 3.2.1 PatchandVulnerabilityGroup . ... 35 3.2.2 Security, Stability, Functionality Patches and Workarounds . 36 3.2.3 Policy.................................... 38 3.2.3.1 InformationGathering. 40 3.2.3.2 RiskAssessment. 47 3.2.3.3 SchedulingandPatchingStrategy . 53 3.2.3.4 Testing.............................. 57 3.2.3.5 Planning&ChangeManagement . 61 CONTENTS 4 3.2.3.6 Deployment,InstallationandRemediation . .... 64 3.2.3.7 Verification&Reporting . 65 3.2.3.8 Maintenance........................... 71 3.2.3.9 Summary............................. 72 3.3 Conclusion ..................................... 73 4 Vendor Patch Release Policy 75 4.1 Introduction.................................... 75 4.2 StateoftheArt ................................... 76 4.3 Ananalysisofpatchschedules . ..... 78 4.3.1 TheDisclosureDebate . 79 4.3.1.1 DelayedDisclosure . 80 4.3.1.2 InstantaneousDisclosure . 81 4.3.2 PatchSchedulesandDelayedDisclosure . ..... 82 4.3.3 Patch Schedules and InstantaneousDisclosure . ......... 83 4.3.3.1 Quality.............................. 84 4.3.3.2 PlannedDeployment . 87 4.3.3.3 Examples ............................ 88 4.3.4 Conclusion ................................. 90 4.4 AdviceforimplementingaPatchReleaseSchedule . .......... 90 4.4.1 DualSchedulesandSeparationCriteria . ...... 91 4.4.2 PredictablePatchReleaseSchedule . ..... 92 CONTENTS 5 4.4.3 CriticalPatchRelease . 94 4.4.4 EncouragingDelayedDisclosure. .... 96 4.5 Conclusion ..................................... 97 5 Practical Solutions 98 5.1 Introduction.................................... 98 5.2 PatchManagementSoftware . ... 98 5.2.1 Functionality and Classification of Patching Tools . ........... 99 5.2.1.1 Notification ...........................103 5.2.1.2 InventoryManagement . .104 5.2.1.3 VulnerabilityScanner . .105 5.2.1.4 PatchTesting. .106 5.2.1.5 PatchPackaging . .107 5.2.1.6 PatchDistribution . .111 5.2.1.7 Reporting ............................111 5.2.1.8 Summary.............................112 5.2.2 Architecture.................................112 5.2.2.1 Agentless ............................112 5.2.2.2 Agent ..............................114 5.2.3 AvailableTools...............................115 5.2.3.1 Evolution ............................115 5.2.3.2 Examples ............................117 CONTENTS 6 5.3 DefenceinDepth .................................. 119 5.3.1 FirewallsandAnti-Virus . 119 5.3.2 IntrusionDetection/PreventionSystems . ........120 5.3.2.1 VirtualPatching . .121 5.3.3 OtherHardening ..............................122 5.3.4 SoftwareSelection . .. .. .. .. .. .. .. .. 122 5.4 Conclusion .....................................124 6 Conclusion 126 6.1 Introduction.................................... 126 6.2 Objectives...................................... 126 6.2.1 Summary ..................................128 6.3 ProblemsandSolutions. 129 6.4 FutureWork.....................................129 6.4.1 ThreatManagement ............................129 6.4.2 VulnerabilityDetailandTrendTracking . .......130 6.4.3 OptimalTimetoPatchforLargeVendors . .130 6.4.4 PatchStandards...............................131 6.5 FinalWord .....................................131 Bibliography 133 References 133 CONTENTS 7 A Time-line of Notable Worms and Viruses 157 A.1 Introduction.................................... 157 A.2 Time-line ......................................157 A.2.1 2006 ....................................157 A.2.2 2005 ....................................157 A.2.3 2004 ....................................158 A.2.4 2003 ....................................158 A.2.5 2001 ....................................159 A.2.6 1999 ....................................159 A.2.7 1998 ....................................160 A.2.8 1995 ....................................160 A.2.9 1992 ....................................160 A.2.101989 ....................................160 A.2.111988 ....................................160 A.2.121987 ....................................160 A.2.131982 ....................................161 B Analysis of WSUS 162 B.1 Introduction.................................... 162 B.2 What’sNew.....................................163 B.3 Installation .................................... 164 B.3.1 Topology ..................................164 CONTENTS 8 B.3.1.1 Default..............................164 B.3.1.2 Grouping.............................164 B.3.1.3 Chaining.............................166 B.3.1.4 ClientDownload. .166 B.3.2 Requirements................................167 B.3.3 Server....................................168 B.3.4 Client....................................169 B.4 Configuration .................................... 169 B.4.1 Server....................................169 B.4.2 ClientSide .................................174 B.5 Patching.......................................177 B.5.1 Synchronisation ..............................177 B.5.2 Approval ..................................177 B.5.3 Detection ..................................179 B.5.4 Distribution.................................180 B.5.5 Installation .................................180 B.5.6 Verification .................................180 B.6 Reporting ......................................180 B.7 PacketCapture ................................... 181 B.7.1 StepsPerformed ..............................181 B.7.2 ResultingNetworkTraffic . 184 CONTENTS 9 B.7.3 Analysis ..................................187 B.7.4 PacketCaptureSummary. 189 B.7.4.1 Interface .............................189 B.7.4.2 Security .............................189 B.8 Resources......................................189 B.9 Conclusion .....................................190 List of Figures 2.1 TheorisedVulnerabilityLife-Cycle[1] . .......... 14 2.2 GeneralisedModelofEmpiricalFindings . ........ 16 3.1 Hypothetical graph of the risk of compromise and patching[2]........... 55 3.2 Patch application and its impact on Availability [3] ................ 56 3.3 DiagramoftheproposedPatchManagementpolicy . ......... 73 4.1 Delayed Disclosure and its effects on vulnerable machines and exploitation Source:ModifiedfromRescorla[4] . .. 81 4.2 Instantaneous Disclosure and its effects on vulnerable machines and exploitation Source:ModifiedfromRescorla[4] . .. 82 5.1 Graphoftheeffectivenessofbinarypatchtools . ...........110 5.2 Graph of the number of vulnerabilities in different Linux kernel versions per year. Source:CVE[5] ..................................124 B.1 DefaultTopology ................................. 165 B.2 GroupedTopology ................................. 165 B.3 ChainedTopology................................. 166 1 LIST OF
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages205 Page
-
File Size-