HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 19 guests and 2 members online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Patch Window
Ethical Hacker Community Forums
December 01, 2008, 11:49:27 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Patch Window  (Read 2049 times)
0 Members and 1 Guest are viewing this topic.
RoleReversal
Sr. Member
****
Offline Offline

Posts: 469


View Profile WWW
« on: April 22, 2008, 03:11:55 AM »
Everyones favourite topic....

Several recent reports (ISC and El Reg) are indicating what many of us have come to suspect; the window between patch release and exploit is getting smaller. In the days of change control, patch management and multiple regulatory bodies stating that all patches (or any change to a production system) must be tested.

Does anyone from the front lines have any tips, systems or anecdotes for dealing with this increasing issue?
Logged
A little bit of sanity:
http://www.infosanity.co.uk
vijay2
Full Member
***
Offline Offline

Posts: 126


View Profile
« Reply #1 on: April 22, 2008, 06:40:45 AM »
After the August worm in 2005, we learned a few lessons. the most important being having better administration for our networking gear. We have come to a point now that we can disable a switch port or a group of ports or a segment with a click of a mouse, or a single command. This gives a ability to isolate the machine or a segment which is infected. Also we use policies on our switches through which we can disable any protocol port on a switch port or a LAN. We are also working on NAC solution which would allow is to isolate any outside laptop connecting to our network if it does not meet the baseline patched status.

Off course, all this is complimented with firewalls, IDSs and a dedicated security team.

That was all technical but it could not have been possible without strong policies and procedures and commitment from the senior management. Also, we have a great co-ordination between the IRT, Security team and the Net OPs and well defined guidelines so that in a event there is no time wasted going through the red tape.

Hope this helps
Logged
GPEN GCIH CISSP GSEC OSCP C|EH MCSE CNE Security+
ElCapitan
Newbie
*
Offline Offline

Posts: 6


Unanimous FTP: the #1 threat to copyrights!


View Profile
« Reply #2 on: April 28, 2008, 11:28:52 AM »
RR,

I see an increased effort in establishing countermeasures to accommodate this trend in smaller patch window availability/exploit release.

This includes: more frequent virus definition updates, IDS signature updates, and increasing staff to monitor for outbreaks.

As vijay mentioned, network separation capabilities are better but this doesn't help if you have a bureaucracy to slow down the process of isolating an infected system.
Logged
RoleReversal
Sr. Member
****
Offline Offline

Posts: 469


View Profile WWW
« Reply #3 on: April 28, 2008, 11:58:51 AM »
Thanks for the replies guys.

I always find it is good to take a step back from my current situation and see how others are handling the same issue. Especially good to see that others have had success with changes that I would like to implement, means I must be doing something right for a change Wink

In a semi related issue, I've seen a few reports on research carried out state side that are trying to get Microsoft (and others I'm presuming) to change the way that patches are released. An attempt to stop the bad guys from reverse engineering the updates to create more exploits.

To me this seems short sighted and naive, as the 'fix' code needs to reach end users computers in one method or another and I can see nothing stopping the bad guys from (heaven forbid) purchasing a legit copy of <insert here> OS. From my understanding I can only see this scenario increasing the time/resources required to implement any new patch.

Is this really what is being proposed, or did I miss something somewhere?
Logged
A little bit of sanity:
http://www.infosanity.co.uk
oleDB
Full Member
***
Offline Offline

Posts: 231



View Profile WWW
« Reply #4 on: April 28, 2008, 01:45:11 PM »
Its kind of a catch 22. Users want MS to have this scheduled patch tuesday so they can have time to prepare, but at the same time vulnerability researchers and exploit writers are gearing up to reverse the patches and write exploits on that day as well. There is no way around it that I can see.

On a side note, I've only seen time to patching get reduced in the last few years, however one hidden skeleton always rears its ugly head. Legacy code/apps that can't be patched without breaking. UGH!!!!  Angry And its not just an MS thing either, other apps/vendors as well. Nobody ever seems to want to address this issue, as its extremely costly to make the changes. They just keep accepting the risk and kicking the skeleton back into the closet. My advice in this situation, is to track legacy systems just like you do PCI/Sox systems. They require extra monitoring and safeguards as well.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.046 seconds with 22 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
During the most recent election, I:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.