Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation Submitted in fulfilment of the requirements of the degree MASTER OF SCIENCE in the Department of Computer Science of Rhodes University Dominic Stjohn Dolin White <[email protected]> January 2006 Abstract This document aims to provide a complete discussion on vulnerability and patch management. The first chapters look at the trends relating to vulnerabilities, exploits, attacks and patches. These trends describe the drivers of patch and vulnerability management and situate the dis- cussion in the current security climate. The following chapters then aim to present both policy and technical solutions to the problem. The policies described lay out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, managing risk, identifying vulner- ability, strategies for reducing downtime and generating metrics to measure progress. Having covered the steps that can be taken by users, a strategy describing how best a vendor should implement a related patch release policy is provided. An argument is made that current monthly patch release schedules are inadequate to allow users to most effectively and timeously mitigate vulnerabilities. The final chapters discuss the technical aspect of automating parts of the policies described. In particular the concept of ’defense in depth’ is used to discuss additional strategies for ’buying time’ during the patch process. The document then goes on to conclude that in the face of increasing malicious activity and more complex patching, solid frameworks such as those provided in this document are required to ensure an organisation can fully manage the patching process. However, more research is required to fully understand vulnerabilities and exploits. In particular more attention must be paid to threats, as little work as been done to fully understand threat-agent capabilities and activities from a day to day basis. Contents 1 Introduction 1 1.1 Background . 1 1.2 Patch Management . 3 1.2.1 Definitions . 4 1.3 The Need for Patch Management . 6 1.4 Objectives . 7 1.5 Methodology . 8 1.6 Conclusion . 10 2 Vulnerability and Patch Management 11 2.1 Introduction . 11 2.2 The Vulnerability Life-Cycle . 12 2.3 Vulnerabilities, Malware and Exploitation Trends . 16 2.3.1 Increasing number of vulnerabilities . 17 2.3.2 Increasing number of attacks . 18 2.3.3 Exploit window shrinking . 21 2 CONTENTS 3 2.4 Problems with Patches . 23 2.4.1 Unpredictable Patches . 23 2.4.2 Too Many Patches . 24 2.4.3 Window to Patch is Shrinking . 25 2.4.4 Complex Patches . 26 2.4.5 Hard to obtain patches . 27 2.4.6 Problem Patch Examples . 28 2.4.6.1 SQL Slammer/Sapphire Worm . 28 2.4.6.2 GDI+ JPEG Vulnerability . 30 2.5 Conclusion . 31 3 Policy Solutions 33 3.1 Introduction . 33 3.2 Patch Management Policy Framework . 34 3.2.1 Patch and Vulnerability Group . 35 3.2.2 Security, Stability, Functionality Patches and Workarounds . 36 3.2.3 Policy . 38 3.2.3.1 Information Gathering . 40 3.2.3.2 Risk Assessment . 47 3.2.3.3 Scheduling and Patching Strategy . 53 3.2.3.4 Testing . 57 3.2.3.5 Planning & Change Management . 61 CONTENTS 4 3.2.3.6 Deployment, Installation and Remediation . 64 3.2.3.7 Verification & Reporting . 65 3.2.3.8 Maintenance . 71 3.2.3.9 Summary . 72 3.3 Conclusion . 73 4 Vendor Patch Release Policy 75 4.1 Introduction . 75 4.2 State of the Art . 76 4.3 An analysis of patch schedules . 78 4.3.1 The Disclosure Debate . 79 4.3.1.1 Delayed Disclosure . 80 4.3.1.2 Instantaneous Disclosure . 81 4.3.2 Patch Schedules and Delayed Disclosure . 82 4.3.3 Patch Schedules and Instantaneous Disclosure . 83 4.3.3.1 Quality . 84 4.3.3.2 Planned Deployment . 87 4.3.3.3 Examples . 88 4.3.4 Conclusion . 90 4.4 Advice for implementing a Patch Release Schedule . 90 4.4.1 Dual Schedules and Separation Criteria . 91 4.4.2 Predictable Patch Release Schedule . 92 CONTENTS 5 4.4.3 Critical Patch Release . 94 4.4.4 Encouraging Delayed Disclosure . 96 4.5 Conclusion . 97 5 Practical Solutions 98 5.1 Introduction . 98 5.2 Patch Management Software . 98 5.2.1 Functionality and Classification of Patching Tools . 99 5.2.1.1 Notification . 103 5.2.1.2 Inventory Management . 104 5.2.1.3 Vulnerability Scanner . 105 5.2.1.4 Patch Testing . 106 5.2.1.5 Patch Packaging . 107 5.2.1.6 Patch Distribution . 111 5.2.1.7 Reporting . 111 5.2.1.8 Summary . 112 5.2.2 Architecture . 112 5.2.2.1 Agentless . 112 5.2.2.2 Agent . 114 5.2.3 Available Tools . 115 5.2.3.1 Evolution . 115 5.2.3.2 Examples . 117 CONTENTS 6 5.3 Defence in-depth . 119 5.3.1 Firewalls and Anti-Virus . 119 5.3.2 Intrusion Detection/Prevention Systems . 120 5.3.2.1 Virtual Patching . 121 5.3.3 Other Hardening . 122 5.3.4 Software Selection . 122 5.4 Conclusion . 124 6 Conclusion 126 6.1 Introduction . 126 6.2 Objectives . 126 6.2.1 Summary . 128 6.3 Problems and Solutions . 129 6.4 Future Work . 129 6.4.1 Threat Management . 129 6.4.2 Vulnerability Detail and Trend Tracking . 130 6.4.3 Optimal Time to Patch for Large Vendors . 130 6.4.4 Patch Standards . 131 6.5 Final Word . 131 Bibliography 133 References 133 CONTENTS 7 A Time-line of Notable Worms and Viruses 157 A.1 Introduction . 157 A.2 Time-line . 157 A.2.1 2006 . 157 A.2.2 2005 . 157 A.2.3 2004 . 158 A.2.4 2003 . 158 A.2.5 2001 . 159 A.2.6 1999 . 159 A.2.7 1998 . 159 A.2.8 1995 . 160 A.2.9.