Information Technology / Security & Auditing SECURITY SECURITY PATCH PATCH MANAGEMENT Second Edition MANAGEMENT Although the patch management proces is neither exceedingly technical nor Second Edition extremely complicated, it is still perceived as a complex issue that’s often left to the last minute or resolved with products that automate the task. Effective patch management is not about technology; it’s about having a formal process in place that can deploy patches to vulnerable systems quickly. Helping you fgure out exactly what to patch and which patches to use, Security Patch Management provides detailed guidance through the process of creating and implementing an effective and effcient patch management process. It uses a format that is easy to understand and applicable regardless of the operating system, network device, or patch deployment tool. The author illustrates the proper implementation of patches on devices and systems within various infrastructures to provide the insight required to • Design your own patch release process and keep it action ready • Test the effectiveness of your patches • Keep up with the latest patch releases • Prioritize the vulnerabilities that need to be addressed • Apply patches quickly and without draining essential network resources This book supplies the tools and guidelines you need to stay one step ahead of the exploits on the horizon. It will help you establish a patch management process that not only protects your organization against zero-day attacks, but also helps you become more proactive when it comes to this critical facet of information security. Felicia M. Nicastro K11189 ISBN: 978-1-4398-2499-3 90000 9 781439 824993 K11189_COVER_final.indd 1 3/1/11 11:45 AM Nicastro SECURITY PATCH MANAGEMENT Second Edition SECURITY PATCH MANAGEMENT Second Edit ion OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Building an Enterprise-Wide Business Intelligent Video Surveillance: Continuity Program Systems and Technology Kelley Okolita Edited by Yunqian Ma and Gang Qian ISBN 978-1-4200-8864-9 ISBN 978-1-4398-1328-7 Critical Infrastructure: Homeland Security Managing an Information Security and and Emergency Preparedness, Privacy Awareness and Training Program, Second Edition Second Edition Robert Radvanovsky and Allan McDougall Rebecca Herold ISBN 978-1-4200-9527-2 ISBN 978-1-4398-1545-8 Data Protection: Governance, Mobile Device Security: A Comprehensive Risk Management, and Compliance Guide to Securing Your Information in David G. Hill a Moving World ISBN 978-1-4398-0692-0 Stephen Fried ISBN 978-1-4398-2016-2 Encyclopedia of Information Assurance Edited by Rebecca Herold and Marcus K. Rogers Secure and Resilient Software Development ISBN 978-1-4200-6620-3 Mark S. Merkow and Lakshmikanth Raghavan ISBN 978-1-4398-2696-6 The Executive MBA in Information Security John J. Trinckes, Jr. Security for Service Oriented ISBN 978-1-4398-1007-1 Architectures Bhavani Thuraisingham FISMA Principles and Best Practices: ISBN 978-1-4200-7331-7 Beyond Compliance Patrick D. Howard Security of Mobile Communications ISBN 978-1-4200-7829-9 Noureddine Boudriga ISBN 978-0-8493-7941-3 HOWTO Secure and Audit Oracle 10g and 11g Security of Self-Organizing Networks: Ron Ben-Natan MANET, WSN, WMN, VANET ISBN 978-1-4200-8412-2 Edited by Al-Sakib Khan Pathan ISBN 978-1-4398-1919-7 Information Security Management: Concepts and Practice Security Patch Management Bel G. Raggad Felicia M. Nicastro ISBN 978-1-4200-7854-1 ISBN 978-1-4398-2499-3 Information Security Policies and Security Risk Assessment Handbook: Procedures: A Practitioner’s Reference, A Complete Guide for Performing Security Second Edition Risk Assessments, Second Edition Thomas R. Peltier Douglas Landoll ISBN 978-0-8493-1958-7 ISBN 978-1-4398-2148-0 Information Security Risk Analysis, Security Strategy: From Requirements Third Edition to Reality Thomas R. Peltier Bill Stackpole and Eric Oksendahl ISBN 978-1-4398-3956-0 ISBN 978-1-4398-2733-8 Information Technology Control and Audit, Vulnerability Management Third Edition Park Foreman Sandra Senft and Frederick Gallegos ISBN 978-1-4398-0150-5 ISBN 978-1-4200-6550-3 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: SECURITY PATCH MANAGEMENT Second Edit ion Felicia M. Nicastro CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4398-2500-6 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a pho- tocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword xi About the Author xiii ChApter 1 IntroduCtIon 1 How to Use Tis Book 3 Background 7 Getting Started 8 Who Owns the Process? 9 People, Process, and Technology 13 Measuring Success 16 Next Steps 18 Types of Patches 19 Functionality Patches 20 Feature Patches 20 Security Patches 21 Product Vendor’s Responsibility 22 ChApter 2 VulnerAbIlIty to pAtCh to exploIt 27 Who Exploits When, Why, and How 29 Te Who 30 Te When 31 Te Why 33 Te How 34 Tracking New Patch Releases 36 Resources for Information 37 ChApter 3 whAt to pAtCh 39 Desktops 40 © 2011 by Taylor & Francis Group, LLC v vi Contents Standard Build 42 User Awareness 43 Use of Tool 44 Remote Users 45 Laptops 47 Servers 48 Windows 50 UNIX® and Linux 51 Network Devices 52 ChApter 4 network And SyStemS mAnAgement: InFormAtIon teChnology InFrAStruCture lIbrAry 55 Network and Systems Management 56 Starting with Process 59 ITIL 60 Service Support 61 Service Desk 61 Incident Management 63 Problem Management 63 Confguration and Asset Management 64 Change Management 66 Release Management 67 Service Delivery 67 Service-Level Management 68 Financial Management for IT Services 69 Performance and Capacity Management 69 IT Service Continuity Management 70 Availability Management 70 ICT Infrastructure Management 70 Security Management 71 Assessing and Implementing IT Operations 71 Assessing the IT Operations Capabilities 72 Designing an IT Operations Solution 76 Implementing an IT Operations Solution 77 Putting the IT Operations Solution into Action 78 Outsourcing to a Service Provider 78 ChApter 5 SeCurIty mAnAgement 81 Overview 82 Security Operations 84 Preparing for Security Operations 86 Gather Requirements 86 Selecting the Tools 89 Establishing Security Operations 93 Methods of Implementation 94 Roles and Responsibilities 96 Implementing Security Operations 98 © 2011 by Taylor & Francis Group, LLC Contents vii Incorporating Security into Operational Processes 100 Process Example 102 Next Steps 105 ChApter 6 VulnerAbIlIty mAnAgement 107 Defnition of Vulnerability Management 108 Vulnerability Management Process 110 Monitor 111 Gather Data 112 Assess the Posture 113 Remediate 115 Rinse and Repeat 116 Establishing Vulnerability Management 117 Assess 118 Design 119 Implement 120 Review 121 Next Steps 121 ChApter 7 toolS 123 Process versus Tools 125 Where to Use Tem 127 Asset Tracking 127 Patch Deployment 130 How to Determine Which One Is Best 131 Price 132 Leveraging Existing Software 133 Supported Operating Systems 134 Agent-Based versus Agentless Software Products 135 Tools Evaluated 137 Conducting Comparisons 140 ChApter 8 teStIng 143 Common Issues with Testing 144 Te Testing Process 145 Preinstall Activities 146 Patch Installation 148 Test Intended Purpose 149 Test Primary Uses 150 Test Secondary Uses 151 Testing Patch Back Out 152 Approving Deployment 153 Patch Ratings and How Tey Afect Testing 153 Prioritizing the Test Process 156 Externally Facing Hosts 158 Mission-Critical Hosts 159 Critical Users 159 Mobile Devices and Remote Users 160 © 2011 by Taylor & Francis Group, LLC viii Contents Clients of Critical Hosts 160 Standard User Systems 161 Internal Network Devices 162 Dynamic Prioritization 162 Te Test Lab 163 Virtual Machines 165 Wrapping It Up 170 ChApter 9 proCeSS lIFe CyCle 173 Roles and Responsibilities 175 Security Committee 177 Security Group 181 Operations Group 183 Network Operations Center 185 Analysis Phase of Patch Management 187 Monitoring and Discovery 187 Initial Assessment Phase 189 Impact Assessment Phase 191 Remediation Phase of Patch Management 193 Patch Course of Action 194 Patch Security Advisory 197 Testing the Patch 201 “Critical” Vulnerabilities 202 Use of a Standard Build 203 Updating the Operational Environment 204 Distributing the Patch 205 Implementation of Patches 207 Time Frame of Deployment 208 Exceptions to the Rule 210 Updating Remote Users 212 Tracking Patches 214 Patch Reporting 214 ChApter 10 puttIng the proCeSS In plACe 217 Preparing for the Process 218 Assessing Current State 219 Determine Requirements 220 Performing the Gap Analysis 222 Designing the Process 223 Assessing Network Devices and Systems 224 Implementation Phase 226 Standard Build 227 Implement the Tool 229 Piloting the Process 231 Moving the Process into Production 233 Update Design Based on Implementation 235 Operating the Process 236 Integration into Existing Processes 237 © 2011 by Taylor & Francis Group, LLC Contents ix Updating Standard Builds 239 Implementation of New Servers 239 Day-to-Day Tool Operations 240 Deployment of Patches 241 Maintain 242 Organizational Structure Changes 244 Operational Changes 244 Purchase of New or Additional Tool 245 Annual Basis 246 Patch Management Policy 246 ChApter 11 ConCluSIon 251 Challenges 253 Next Steps 257 © 2011 by Taylor & Francis Group, LLC