neglecting the security aspect of patch management is just asking for trouble
DESCRIPTION
In this webinar, we will look at how to integrate patch management into the vulnerability management lifecycle, to support organizations in developing processes that allow targeted remediation and mitigation of threats. In a previous presentation (see attachments), we examined how a well-known vulnerability in an application led to a security breach in the U.S. Department of Energy, with significant financial impacts. Many factors contributed to the extensive damage caused by the attack. But the bottom line spelled it out: If a patch management process properly integrated with a vulnerability management lifecycle approach had been in place in the Department of Energy, mitigation actions could have been implemented and, ultimately, the breach would not have occurred. It is precisely because we continue to disregard the fact that patch management is an important security control that we continue to see attacks exploiting well-known vulnerabilities. There are many reasons why patch management is neglected as a security tool: •Manually applying all patches to all applications on all machines and servers is not feasible. •Patch management is often perceived as the mechanics of packaging and deploying software updates. •The abundance of devices and the interconnectivity between organizations, partners and customers has increased the attack surface significantly. And not all devices can be managed centrally. •Most of the solutions for patch management that are available in the market only focus on delivering patch content and deployment capabilities. Sign up for this webinar on why and how to integrate patch management into the vulnerability management lifecycle. Key takeaways: -The reasons for improving your patch management process -Key considerations of a security approach to patch management -How to integrate patch management within the vulnerability management lifecycle -Examples of how to justify the investment in patch management technologyTRANSCRIPT
How neglecting the security aspect
of patch management is just asking
for trouble!
Waqas Mahmood
Solution Specialist, Security Engineer [email protected]
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 2
Revisiting DOE Breach and its impact
Financial & Non Financial impacts of a security breach
The Challenge
Patch management with a vulnerability management approach
Complete Patch Management
VI+VS+PC+PD = Complete PM
Security policy and baseline
Risk Assessment and Prioritization
Remediation or mitigation
How to Improve
QA
Agenda
Reasons not to neglect patch
management
Causes and consequences
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 4
The U.S. Department of Energy data
breach, July 2013
“Our review identified a number of technical and
management issues that contributed to an environment in
which this breach was possible.”
- DoE
Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013
http://energy.gov/ig/downloads/special-report-ig-0900
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 5
May 2011 – First incident with no loss of Personal
Identifiable Information (PII)
January 2012 – Second incident with no loss of PII
July 2013 – Third incident leading to the breach of
104,000 PII records
History
Vector: software vulnerability! “The Department had not taken appropriate action to
remediate known vulnerabilities on its systems either
through patching, system enhancements or upgrades.”
Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013
http://energy.gov/ig/downloads/special-report-ig-0900
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 6
Data exposed
104,000 records with personally identifiable information
(PII) of past and present employees, family members and
contractors were exposed, including:
• Names
• Birth dates and places of birth
• Social Security numbers
• Education
• Bank account numbers
• Information about disabilities
• Security questions and answers
Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013
http://energy.gov/ig/downloads/special-report-ig-0900
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 7
$1.6 million for credit monitoring and labor costs
$2.1million in lost productivity related to employees being released to take
corrective actions associated with the data exposed by the breach
Non-calculated costs associated with recovery and lost productivity – funds
that could have been used to support the Department’s core mission
Damage to the Department’s reputation
Loss of employee confidence
Financial and non-financial impact
Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013
http://energy.gov/ig/downloads/special-report-ig-0900
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 8
Average financial losses associated with security incidents is up by 18% in 2013
compared to 2012
Number of cases with losses above $10 million up by 51% since 2011
The average cost to remediate a security incident is $531 (per incident).
Organizations considered to be leaders in security strategy report an average
cost of $421 (per incident)
We cannot ignore the costs associated with security incidents
“the cost of remediation is rising
because more records across more jurisdictions are
being impacted, and security controls have not kept
pace with the ever-changing threat landscape.” PWC
Source: “Defending Yesterday – The Global State of Information Security Survey 2014”, PWC, CIO magazine, CSO magazine, 2013
http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 9
Did your organization suffer a security breach in the past 12 months?
Yes
No
I don’t know
Question 1
Improving the foundation of your
security
Implementing basic controls
How neglecting the security aspect of patch management
is just asking for trouble! 23-06-2014 11
“97% of breaches could have been avoided through simple or
intermediate controls.”
Good security starts with the basics The importance of having a secure foundation
Verizon, 2012 Data Breach Investigations Report, (March 2012),
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
How neglecting the security aspect of patch management
is just asking for trouble! 12
Waqas Mahmood
Solution Specialist, Security Engineer
Watch the entire webinar here:
Neglecting the security aspect of patch
management is just asking for trouble!