.

Patch Window

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Apr 22, 2008 3:11 am

Patch Window

Everyones favourite topic....

Several recent reports (ISC and El Reg) are indicating what many of us have come to suspect; the window between patch release and exploit is getting smaller. In the days of change control, patch management and multiple regulatory bodies stating that all patches (or any change to a production system) must be tested.

Does anyone from the front lines have any tips, systems or anecdotes for dealing with this increasing issue?
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Tue Apr 22, 2008 6:40 am

Re: Patch Window

After the August worm in 2005, we learned a few lessons. the most important being having better administration for our networking gear. We have come to a point now that we can disable a switch port or a group of ports or a segment with a click of a mouse, or a single command. This gives a ability to isolate the machine or a segment which is infected. Also we use policies on our switches through which we can disable any protocol port on a switch port or a LAN. We are also working on NAC solution which would allow is to isolate any outside laptop connecting to our network if it does not meet the baseline patched status.

Off course, all this is complimented with firewalls, IDSs and a dedicated security team.

That was all technical but it could not have been possible without strong policies and procedures and commitment from the senior management. Also, we have a great co-ordination between the IRT, Security team and the Net OPs and well defined guidelines so that in a event there is no time wasted going through the red tape.

Hope this helps
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Mon Apr 28, 2008 11:28 am

Re: Patch Window

RR,

I see an increased effort in establishing countermeasures to accommodate this trend in smaller patch window availability/exploit release.

This includes: more frequent virus definition updates, IDS signature updates, and increasing staff to monitor for outbreaks.

As vijay mentioned, network separation capabilities are better but this doesn't help if you have a bureaucracy to slow down the process of isolating an infected system.
CISSP, Security+, CEH, OPP, et alii
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Apr 28, 2008 11:58 am

Re: Patch Window

Thanks for the replies guys.

I always find it is good to take a step back from my current situation and see how others are handling the same issue. Especially good to see that others have had success with changes that I would like to implement, means I must be doing something right for a change ;)

In a semi related issue, I've seen a few reports on research carried out state side that are trying to get Microsoft (and others I'm presuming) to change the way that patches are released. An attempt to stop the bad guys from reverse engineering the updates to create more exploits.

To me this seems short sighted and naive, as the 'fix' code needs to reach end users computers in one method or another and I can see nothing stopping the bad guys from (heaven forbid) purchasing a legit copy of <insert here> OS. From my understanding I can only see this scenario increasing the time/resources required to implement any new patch.

Is this really what is being proposed, or did I miss something somewhere?
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Mon Apr 28, 2008 1:45 pm

Re: Patch Window

Its kind of a catch 22. Users want MS to have this scheduled patch tuesday so they can have time to prepare, but at the same time vulnerability researchers and exploit writers are gearing up to reverse the patches and write exploits on that day as well. There is no way around it that I can see.

On a side note, I've only seen time to patching get reduced in the last few years, however one hidden skeleton always rears its ugly head. Legacy code/apps that can't be patched without breaking. UGH!!!!  >:( And its not just an MS thing either, other apps/vendors as well. Nobody ever seems to want to address this issue, as its extremely costly to make the changes. They just keep accepting the risk and kicking the skeleton back into the closet. My advice in this situation, is to track legacy systems just like you do PCI/Sox systems. They require extra monitoring and safeguards as well.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software