The Ethical Hacker Network

Latest Additions

Who's Online

Andrew Waite

Hero Member

Offline

Posts: 928

Patch Window

« on: April 22, 2008, 03:11:55 AM »

Everyones favourite topic....

Several recent reports (ISC and El Reg) are indicating what many of us have come to suspect; the window between patch release and exploit is getting smaller. In the days of change control, patch management and multiple regulatory bodies stating that all patches (or any change to a production system) must be tested.

Does anyone from the front lines have any tips, systems or anecdotes for dealing with this increasing issue?


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

vijay2

Full Member

Offline

Posts: 220

Re: Patch Window

« Reply #1 on: April 22, 2008, 06:40:45 AM »

After the August worm in 2005, we learned a few lessons. the most important being having better administration for our networking gear. We have come to a point now that we can disable a switch port or a group of ports or a segment with a click of a mouse, or a single command. This gives a ability to isolate the machine or a segment which is infected. Also we use policies on our switches through which we can disable any protocol port on a switch port or a LAN. We are also working on NAC solution which would allow is to isolate any outside laptop connecting to our network if it does not meet the baseline patched status.

Off course, all this is complimented with firewalls, IDSs and a dedicated security team.

That was all technical but it could not have been possible without strong policies and procedures and commitment from the senior management. Also, we have a great co-ordination between the IRT, Security team and the Net OPs and well defined guidelines so that in a event there is no time wasted going through the red tape.

Hope this helps


	Logged

GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+

ElCapitan

Newbie

Offline

Posts: 28

Unanimous FTP: the #1 threat to copyrights!

Re: Patch Window

« Reply #2 on: April 28, 2008, 11:28:52 AM »

RR,

I see an increased effort in establishing countermeasures to accommodate this trend in smaller patch window availability/exploit release.

This includes: more frequent virus definition updates, IDS signature updates, and increasing staff to monitor for outbreaks.

As vijay mentioned, network separation capabilities are better but this doesn't help if you have a bureaucracy to slow down the process of isolating an infected system.


	Logged

CISSP, Security+, CEH, OPP, et alii

Andrew Waite

Hero Member

Offline

Posts: 928

Re: Patch Window

« Reply #3 on: April 28, 2008, 11:58:51 AM »

Thanks for the replies guys.

I always find it is good to take a step back from my current situation and see how others are handling the same issue. Especially good to see that others have had success with changes that I would like to implement, means I must be doing something right for a change Wink

In a semi related issue, I've seen a few reports on research carried out state side that are trying to get Microsoft (and others I'm presuming) to change the way that patches are released. An attempt to stop the bad guys from reverse engineering the updates to create more exploits.

To me this seems short sighted and naive, as the 'fix' code needs to reach end users computers in one method or another and I can see nothing stopping the bad guys from (heaven forbid) purchasing a legit copy of <insert here> OS. From my understanding I can only see this scenario increasing the time/resources required to implement any new patch.

Is this really what is being proposed, or did I miss something somewhere?


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

oleDB

Recruiters
Full Member

Offline

Posts: 236

Re: Patch Window

« Reply #4 on: April 28, 2008, 01:45:11 PM »

Its kind of a catch 22. Users want MS to have this scheduled patch tuesday so they can have time to prepare, but at the same time vulnerability researchers and exploit writers are gearing up to reverse the patches and write exploits on that day as well. There is no way around it that I can see.

On a side note, I've only seen time to patching get reduced in the last few years, however one hidden skeleton always rears its ugly head. Legacy code/apps that can't be patched without breaking. UGH!!!! Angry

And its not just an MS thing either, other apps/vendors as well. Nobody ever seems to want to address this issue, as its extremely costly to make the changes. They just keep accepting the risk and kicking the skeleton back into the closet. My advice in this situation, is to track legacy systems just like you do PCI/Sox systems. They require extra monitoring and safeguards as well.