Chapter 18
In This Chapter
Determining which vulnerabilities to address first
Patching your systems
Looking at security in a new light
After you complete your tests, you want to head down the road to greater security. However, you found some security vulnerabilities — things that need to be addresses. (I hope not too many serious ones, though!) Plugging these security holes before someone exploits them is going to require a little elbow grease. You need to come up with your game plan and decide which security vulnerabilities to address first. A few patches might be in order and possibly even some system hardening. You may need to purchase some new security technologies and might want to reevaluate your network design and security infrastructure as well. I touch on some of the critical areas in this chapter.
It might seem that the security vulnerability to address first would be obvious, but it’s often not very clear. When reviewing the vulnerabilities that you find, consider the following variables:
In Chapter 17, I cover the basic issues of determining how important and how urgent the security problem is. In fact, I provide real-world examples in Table 17-1. You should also look at security from a time management perspective and address the issues that are both important (high impact) and urgent (high likelihood). You probably don’t want to try to fix the vulnerabilities that are just high impact or just high likelihood. You might have some high impact vulnerabilities that, likely, will never be exploited. Likewise, you probably have some vulnerabilities with a high likelihood of being exploited that, if they are exploited, won’t really make a big difference in your business or your job. This type of human analysis and perspective will help you stand out from the scan and run type assessments than many people perform (often in the name of some compliance regulation) and keep you employed for some time to come!
Focus on tasks with the highest payoff first — those that are both high impact and high likelihood. This will likely be the minority of your vulnerabilities. After you plug the most critical security holes, you can go after the less important and less urgent tasks when time and money permit. For example, after you plug such critical holes as SQL injection in web applications and missing patches on important servers, you might want to reconfigure your backups with passwords, if not strong encryption, to keep prying eyes away in case your backups fall into the wrong hands.
Do you ever feel like all you do is patch your systems to fix security vulnerabilities? If your answer yes to this question, good for you — at least you’re doing it! If you constantly feel pressure to patch your systems the right way but can’t seem to find time — at least it’s on your radar. Many IT professionals and their managers don’t even think about proactively patching their systems until after a breach occurs. Just look at the research in the Verizon Data Breach Investigations Report (among others). Patch management is a huge security failure across organizations in all industries. If you’re reading this book, you’re obviously concerned about security and are hopefully way past that.
Patching is avoidable but inevitable. The only real solution to eliminating the need for patches is developing secure software in the first place, but that’s not going to happen any time soon, if ever. Software is just too complex for it to be perfect. A large portion of security incidents can be prevented with some good patching practices, so there’s simply no reason not to have a solid patch management process in place.
If you can’t keep up with the deluge of security patches for all your systems, don’t despair; you can still get a handle on the problem. Here are my basic tenets for applying patches to keep your systems secure:
The following sections describe the various patch deployment tools you can use to lower the burden of constantly having to keep up with patches.
I recommend a robust patch-automation application, especially if these factors are involved:
Be sure to check out these patch-automation solutions:
www.ecora.com/ecora/products/patchmanager.asp
)www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard
)www-03.ibm.com/security/bigfix
)www.shavlik.com/products/patch
)Use one of these free tools to help with automated patching:
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
)www.microsoft.com/technet/security/tools/mbsahome.mspx
)In addition to patching your systems, you have to make sure your systems are hardened (locked down) from the security vulnerabilities that patches can’t fix. I’ve found that many people stop with patching, thinking their systems are secure, but that’s just not the case. Throughout the years, I’ve seen network administrators ignore recommended hardening practices from such organizations as the National Institute of Standards and Technology (NIST) (http://csrc.nist.gov/publications/PubsSPs.html
) and the Center for Internet Security (www.cisecurity.org
), leaving many security holes wide open. However, I’m a true believer that hardening systems from malicious attack is not foolproof, either. Because every system and every organization’s needs are different, there is no one-size-fits-all solution, so you have to strike a balance and not rely on any single option too much.
This book presents hardening countermeasures that you can implement for your network, computers, and even physical systems and people. I find these countermeasures work the best for the respective systems.
Implementing at least the basic security practices is critical. Whether installing a firewall on the network or requiring users to have strong passwords via a Windows domain GPO — you must address the basics if you want any modicum of security. Beyond patching, if you follow the countermeasures I document, add the other well-known security practices for network systems (routers, servers, workstations, and so on) that are freely available on the Internet, and perform ongoing security tests, you can rest assured that you’re doing your best to keep your organization’s information secure.
A review of your overall security infrastructure can add oomph to your systems:
Map your network by using the information you gather from the security tests in this book. Updating existing documentation is a major necessity. Outline IP addresses, running services, and whatever else you discover. Draw your network diagram — network design and overall security issues are a whole lot easier to assess when you can work with them visually. Although I prefer to use a technical drawing program, such as Visio or Cheops-ng (http://cheops-ng.sourceforge.net
), to create network diagrams, such a tool isn’t necessary. You can draw out your map on a whiteboard like many people do and that’s just fine.
Be sure to update your diagrams when your network changes or at least once every year or so.
Looking at your security from a high-level and nontechnical perspective gives you a new outlook on security holes. It takes some time and effort at first, but after you establish a baseline of security, it’s much easier to manage new threats and vulnerabilities.
3.139.239.41