Table Of ContentInformation Technology / Security & Auditing
SECURITY SECURITY
PATCH
PATCH
MANAGEMENT
Second Edition MANAGEMENT
Although the patch management proces is neither exceedingly technical nor Second Edition
extremely complicated, it is still perceived as a complex issue that’s often left to
the last minute or resolved with products that automate the task. Effective patch
management is not about technology; it’s about having a formal process in place that
can deploy patches to vulnerable systems quickly.
Helping you fgure out exactly what to patch and which patches to use, Security
Patch Management provides detailed guidance through the process of creating
and implementing an effective and effcient patch management process. It uses
a format that is easy to understand and applicable regardless of the operating
system, network device, or patch deployment tool. The author illustrates the proper
implementation of patches on devices and systems within various infrastructures to
provide the insight required to
• Design your own patch release process and keep it action ready
• Test the effectiveness of your patches
• Keep up with the latest patch releases
• Prioritize the vulnerabilities that need to be addressed
• Apply patches quickly and without draining essential network resources
This book supplies the tools and guidelines you need to stay one step ahead of
the exploits on the horizon. It will help you establish a patch management process
that not only protects your organization against zero-day attacks, but also helps you
become more proactive when it comes to this critical facet of information security.
Felicia M. Nicastro
K11189
ISBN: 978-1-4398-2499-3
90000
9 781439 824993
K11189_COVER_final.indd 1 3/1/11 11:45 AM
Nicastro SECURITY PATCH MANAGEMENT Second Edition
SECURITY PATCH
MANAGEMENT
Second Edit ion
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Building an Enterprise-Wide Business Intelligent Video Surveillance:
Continuity Program Systems and Technology
Kelley Okolita Edited by Yunqian Ma and Gang Qian
ISBN 978-1-4200-8864-9 ISBN 978-1-4398-1328-7
Critical Infrastructure: Homeland Security Managing an Information Security and
and Emergency Preparedness, Privacy Awareness and Training Program,
Second Edition Second Edition
Robert Radvanovsky and Allan McDougall Rebecca Herold
ISBN 978-1-4200-9527-2 ISBN 978-1-4398-1545-8
Data Protection: Governance, Mobile Device Security: A Comprehensive
Risk Management, and Compliance Guide to Securing Your Information in
David G. Hill a Moving World
ISBN 978-1-4398-0692-0 Stephen Fried
ISBN 978-1-4398-2016-2
Encyclopedia of Information Assurance
Edited by Rebecca Herold and Marcus K. Rogers Secure and Resilient Software Development
ISBN 978-1-4200-6620-3 Mark S. Merkow and Lakshmikanth Raghavan
ISBN 978-1-4398-2696-6
The Executive MBA in Information Security
John J. Trinckes, Jr. Security for Service Oriented
ISBN 978-1-4398-1007-1 Architectures
Bhavani Thuraisingham
FISMA Principles and Best Practices:
ISBN 978-1-4200-7331-7
Beyond Compliance
Patrick D. Howard Security of Mobile Communications
ISBN 978-1-4200-7829-9 Noureddine Boudriga
ISBN 978-0-8493-7941-3
HOWTO Secure and Audit Oracle 10g
and 11g Security of Self-Organizing Networks:
Ron Ben-Natan MANET, WSN, WMN, VANET
ISBN 978-1-4200-8412-2 Edited by Al-Sakib Khan Pathan
ISBN 978-1-4398-1919-7
Information Security Management:
Concepts and Practice Security Patch Management
Bel G. Raggad Felicia M. Nicastro
ISBN 978-1-4200-7854-1 ISBN 978-1-4398-2499-3
Information Security Policies and Security Risk Assessment Handbook:
Procedures: A Practitioner’s Reference, A Complete Guide for Performing Security
Second Edition Risk Assessments, Second Edition
Thomas R. Peltier Douglas Landoll
ISBN 978-0-8493-1958-7 ISBN 978-1-4398-2148-0
Information Security Risk Analysis, Security Strategy: From Requirements
Third Edition to Reality
Thomas R. Peltier Bill Stackpole and Eric Oksendahl
ISBN 978-1-4398-3956-0 ISBN 978-1-4398-2733-8
Information Technology Control and Audit, Vulnerability Management
Third Edition Park Foreman
Sandra Senft and Frederick Gallegos ISBN 978-1-4398-0150-5
ISBN 978-1-4200-6550-3
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail:
SECURITY PATCH
MANAGEMENT
Second Edit ion
Felicia M. Nicastro
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2011 by Taylor and Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-13: 978-1-4398-2500-6 (Ebook-PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable
efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and
publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and recording, or in any information stor-
age or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copy-
right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222
Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro-
vides licenses and registration for a variety of users. For organizations that have been granted a pho-
tocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Contents
Foreword xi
About the Author xiii
ChApter 1 IntroduCtIon 1
How to Use Tis Book 3
Background 7
Getting Started 8
Who Owns the Process? 9
People, Process, and Technology 13
Measuring Success 16
Next Steps 18
Types of Patches 19
Functionality Patches 20
Feature Patches 20
Security Patches 21
Product Vendor’s Responsibility 22
ChApter 2 VulnerAbIlIty to pAtCh to exploIt 27
Who Exploits When, Why, and How 29
Te Who 30
Te When 31
Te Why 33
Te How 34
Tracking New Patch Releases 36
Resources for Information 37
ChApter 3 whAt to pAtCh 39
Desktops 40
© 2011 by Taylor & Francis Group, LLC v
vi Contents
Standard Build 42
User Awareness 43
Use of Tool 44
Remote Users 45
Laptops 47
Servers 48
Windows 50
UNIX® and Linux 51
Network Devices 52
ChApter 4 network And SyStemS mAnAgement:
InFormAtIon teChnology InFrAStruCture
lIbrAry 55
Network and Systems Management 56
Starting with Process 59
ITIL 60
Service Support 61
Service Desk 61
Incident Management 63
Problem Management 63
Confguration and Asset Management 64
Change Management 66
Release Management 67
Service Delivery 67
Service-Level Management 68
Financial Management for IT Services 69
Performance and Capacity Management 69
IT Service Continuity Management 70
Availability Management 70
ICT Infrastructure Management 70
Security Management 71
Assessing and Implementing IT Operations 71
Assessing the IT Operations Capabilities 72
Designing an IT Operations Solution 76
Implementing an IT Operations Solution 77
Putting the IT Operations Solution into Action 78
Outsourcing to a Service Provider 78
ChApter 5 SeCurIty mAnAgement 81
Overview 82
Security Operations 84
Preparing for Security Operations 86
Gather Requirements 86
Selecting the Tools 89
Establishing Security Operations 93
Methods of Implementation 94
Roles and Responsibilities 96
Implementing Security Operations 98
© 2011 by Taylor & Francis Group, LLC
Contents vii
Incorporating Security into Operational Processes 100
Process Example 102
Next Steps 105
ChApter 6 VulnerAbIlIty mAnAgement 107
Defnition of Vulnerability Management 108
Vulnerability Management Process 110
Monitor 111
Gather Data 112
Assess the Posture 113
Remediate 115
Rinse and Repeat 116
Establishing Vulnerability Management 117
Assess 118
Design 119
Implement 120
Review 121
Next Steps 121
ChApter 7 toolS 123
Process versus Tools 125
Where to Use Tem 127
Asset Tracking 127
Patch Deployment 130
How to Determine Which One Is Best 131
Price 132
Leveraging Existing Software 133
Supported Operating Systems 134
Agent-Based versus Agentless Software Products 135
Tools Evaluated 137
Conducting Comparisons 140
ChApter 8 teStIng 143
Common Issues with Testing 144
Te Testing Process 145
Preinstall Activities 146
Patch Installation 148
Test Intended Purpose 149
Test Primary Uses 150
Test Secondary Uses 151
Testing Patch Back Out 152
Approving Deployment 153
Patch Ratings and How Tey Afect Testing 153
Prioritizing the Test Process 156
Externally Facing Hosts 158
Mission-Critical Hosts 159
Critical Users 159
Mobile Devices and Remote Users 160
© 2011 by Taylor & Francis Group, LLC
viii Contents
Clients of Critical Hosts 160
Standard User Systems 161
Internal Network Devices 162
Dynamic Prioritization 162
Te Test Lab 163
Virtual Machines 165
Wrapping It Up 170
ChApter 9 proCeSS lIFe CyCle 173
Roles and Responsibilities 175
Security Committee 177
Security Group 181
Operations Group 183
Network Operations Center 185
Analysis Phase of Patch Management 187
Monitoring and Discovery 187
Initial Assessment Phase 189
Impact Assessment Phase 191
Remediation Phase of Patch Management 193
Patch Course of Action 194
Patch Security Advisory 197
Testing the Patch 201
“Critical” Vulnerabilities 202
Use of a Standard Build 203
Updating the Operational Environment 204
Distributing the Patch 205
Implementation of Patches 207
Time Frame of Deployment 208
Exceptions to the Rule 210
Updating Remote Users 212
Tracking Patches 214
Patch Reporting 214
ChApter 10 puttIng the proCeSS In plACe 217
Preparing for the Process 218
Assessing Current State 219
Determine Requirements 220
Performing the Gap Analysis 222
Designing the Process 223
Assessing Network Devices and Systems 224
Implementation Phase 226
Standard Build 227
Implement the Tool 229
Piloting the Process 231
Moving the Process into Production 233
Update Design Based on Implementation 235
Operating the Process 236
Integration into Existing Processes 237
© 2011 by Taylor & Francis Group, LLC
Contents ix
Updating Standard Builds 239
Implementation of New Servers 239
Day-to-Day Tool Operations 240
Deployment of Patches 241
Maintain 242
Organizational Structure Changes 244
Operational Changes 244
Purchase of New or Additional Tool 245
Annual Basis 246
Patch Management Policy 246
ChApter 11 ConCluSIon 251
Challenges 253
Next Steps 257
© 2011 by Taylor & Francis Group, LLC
