Roger Halbheer on Security » Patch Management

Implementing the Top 4 Defense Strategies

Roger Halbheer — Tue, 13 Dec 2011 13:45:57 +0000

The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies:

Patch Applications
Patch the Operating System
Minimize the use of local admin
Application whitelisting
…

Looking at these 35 strategies, the DSD claims that

While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.

This is pretty much in line with the anecdotal reference I could make where we see successful attacks either coming in through unpatched systems (point 1 and 2), flaws in applications developed in-house (kind of point 2) and social engineering (point 3 and 4). However, these things are not that new, aren’t they? We are talking about patch management since a long time – and patch management not only for the Microsoft environment but the all the applications, being it Microsoft, Adobe, in-house Apps as well as Open Source operating systems.

The DSD even went a step further and developed a really good paper called Implementing DSD’s Top Four for Windows Environments. Something definitely worth reading!

Roger

Using the Microsoft Diagnostics and Recovery Toolset (DaRT) for Incident Response

Roger Halbheer — Wed, 19 Oct 2011 13:01:45 +0000

A few years ago I posted on DaRT after having seen it: Microsoft Diagnostics and Recovery Toolset. It is a really good an interesting tool for a lot of problems, one of them being incident response. I just stumbled across one article describing this: Using the Microsoft Diagnostics and Recovery Toolset (DaRT) for Incident Response.

An overview over DaRT can be found here. To prelude rants and questions: DaRT is part of the Microsoft Desktop Optimization package and cannot be downloaded from our website

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger

Attacks on Application Level

Roger Halbheer — Tue, 18 Jan 2011 10:03:23 +0000

That the attacks move up the stack is really nothing new. However, it increases the challenge to secure your environment as you have to take Patch Management all the way. I blogged on that several times already e.g.:

It is obvious as well that applications that are wide-spread are likely targets for the attackers. Adobe is one of these targets and it is getting worse: PDFs are now No. 1 vehicle for web-based attacks – therefore, make sure that you patch all your applications. We are already working closely with Adobe: Microsoft and Adobe: Collaboration Against Threats

Roger

Behind the Curtain of Second Tuesdays: Challenges in Software Security Response

Roger Halbheer — Thu, 02 Dec 2010 12:53:24 +0000

You might know about Bluehat, which is an internal security conference we run several times an year. Some of the presentations we record and make them publically available. There is a really good one on the Microsoft Security Response Center. Dustin (the presenter) blogged on it Behind the Curtain of Second Tuesdays: Challenges in Software Security Response and here is the recording:

Valuable listening (25 minutes)

Roger

Move to latest versions – for security reasons

Roger Halbheer — Tue, 02 Nov 2010 17:07:06 +0000

We all know that Windows XP is rock-solid but not capable anymore to defend against today’s attacks and the same is true for IE6. Having been great products, when they were launched, the threat landscape changed significantly since then.

Windows 7 has a great potential to help customers now move away from Windows XP and so has IE8 (or IE9) for IE6.

I just read this article: Home Office does u-turn on Internet Explorer 6. This outstanding news and I am looking forward seeing more governments following the UK’s path

Roger

Stuxnet: Future of warfare? Or just lax security?

Roger Halbheer — Mon, 27 Sep 2010 16:29:36 +0000

What is your view?: Stuxnet: Future of warfare? Or just lax security?

Roger

The Risks of Unofficial Patches

Roger Halbheer — Fri, 17 Sep 2010 08:07:04 +0000

This is quite a normal scenario: A zero-day pops up on the Internet by a security researcher. Immediately afterwards we see the first exploits appearing and being integrated into the different attack tools. Now, the race started: The vendor has to develop a security update, the criminals try to exploit the vulnerability.

Part of the holy grail – so it seems – are these researchers being able to deliver a security update much faster than the vendor and the vendor then is immediately publically told that they fail. This is just happening now with Adobe: Unofficial fix brings temporary relief for critical Adobe vuln

Let me add a few thoughts on this:

For a vendor, developing the update is not the part, which takes time – testing is. We have more than 600 million downloads when we publish an update. If we “just” break 10% of the systems the update is installed, it would be a huge denial of service. So testing is the name of the game. How well is an unofficial patch tested?
Often the vendor publishes workarounds (at least we do). This should be part of your risk mitigation strategy. Would the workaround be acceptable to buy you time?
How far do you trust the author of the unofficial update? How big is the risk that the update comes with pre-installed malware? The question immediately comes up: Why should we trust a vendor? Well, you bought or downloaded the software at the first hand – so, you decided to trust the vendor at the beginning.
What do you do, once the vendor releases an update? Can you de-install the unofficial update?

Basically, it is a risk management decision, which should include at least the questions I raised above. Do not just run for the unofficial update – to me it should be really the last resort, if even!

Roger

Support for Windows XP SP2 ends today!

Roger Halbheer — Tue, 13 Jul 2010 08:49:25 +0000

I just wanted to remind you: The support for Windows XP SP2 ends today. I hope that this does not catch you by surprise. If you need all the information about which kind of support ends when for which product, please consult out Lifecycle page. If you have a Premier Support contract with us, your Technical Account Manager should inform you as well.

But what does that really mean? You can find this information on the Windows website: What does it mean if my version of Windows is no longer supported?

Roger