The document discusses approaches to securing systems when rapid patching is not possible. It recommends implementing network segmentation, monitoring technologies, and user access controls to shield vulnerable systems that cannot be patched quickly. While patching is important, it is not a panacea, and targeted attacks use other vectors beyond exploiting unpatched vulnerabilities. A proactive application security program integrated into the development lifecycle can help mitigate issues before exploits are found. When patching is truly not possible, additional defenses like host-based IPS, firewalls, and encryption should be used to minimize risk.

1. Locking down server and workstation
operating systems
Ben Rothke, CISSP CISA
BT Global Services
Senior Security Consultant

2. About me….
• Ben Rothke (too many certifications)
• Senior Security Consultant – British Telecom
• Frequent writer and speaker
• Author - Computer Security: 20 Things Every Employee
Should Know
BT Americas Inc. 2

3. Traditional thoughts about hardening & patching
• Remove unnecessary protocols and services
• design program around Patch Tuesday
• in the hope of avoiding Exploit Wednesday
• Is this approach working?
BT Professional Services 3

4. Patching today
• Attackers continue to scan enterprises and look for
easy openings
– deploy critical security patches - especially to laptops and
Internet-exposed servers
• some organizations are finding it more difficult to justify
the broad QA testing and disruptive deployment efforts
needed for rapid application and database patching.
• Resources (people and budget) are limited, so
spending and effort must be focused in a way that's
most efficient and effective for current threats.
• Patching faster isn't always the best approach
BT Professional Services 4

5. Why harden and patch?
BT Professional Services 5

6. Gartner on the issue
• Rapid patching isn't an effective response to many
threats, and isn't operationally practical for some IT
infrastructure elements
• Better shielding and monitoring are more effective in
these cases.
– Reducing the risk of new threats requires more than fast patching
– Mark Nicolett & John Pescatore
BT Professional Services 6

7. Why rapid patching is not a panacea
• Variety of paths are being used by targeted attacks
– patching doesn't address all of them
• Targeted attacks don't only seek out unpatched OS’s
– they also focus on weaknesses in users and applications to
attack databases and other internal systems
• Rapid patching isn't possible or practical for some PC,
network, server and application components
• Additional protection and monitoring strategies are
needed to reduce risk
BT Professional Services 7

8. A better approach
• Threat assessment and penetration testing processes
– to determine which vulnerabilities must be remediated
immediately, which can be temporarily shielded and which can
be addressed later
• Implement network segmentation and shielding
– for critical servers, databases and applications that can't be
patched quickly
• Implement user and resource access monitoring
technologies and processes
– for systems and applications containing data that might be
subject to a targeted attack
BT Professional Services 8

9. The best approach to app dev security
• Strong application security
• every CIO agrees about the important of app security
• Forrester notes:
– the need to protect applications and proactively eliminate
application-level vulnerabilities is a growing concern for security
professionals, but too few firms have taken action.
• disconnect between the perceived importance of
application security & willingness to tackle the problem
BT Professional Services 9

10. Tacking the app dev security problem
• Reactive
– source code and/or or black box scanning
– Citigal, Cenzic, Fortify, Veracode, WhiteHat, Ounce Labs
• Proactive
– proactive application security strategy into the dev life cycle
– end-to-end application security program
– can be modeled after Trustworthy Computing initiative
– ensure all technologies are considered, especially Web 2.0
BT Professional Services 10

11. Two approaches to app dev security
1. Wait until someone exploits vulnerabilities in your
system and then run to patch and fix it
2. Proactively build security early on in the dev process
– mitigating vulnerabilities before attackers find them
• Proactive app sec program extends to every relevant
phase of the application life cycle
– conception => operation
• Success = commitment and support from senior
management
BT Professional Services 11

12. When you can’t patch…..
• In-house web applications
– detect and resolve vulnerabilities before deploying the web
application
– implement a web application firewall to shield vulnerabilities that
can't be resolved
• 3rd-party applications and databases
– use host-based IPS on difficult-to-patch servers
– segment unpatchable systems behind network IPS
– Implement database and application monitoring or IDS to find
breaches
BT Professional Services 12

13. When you can’t patch…..
• Windows laptops
– deploy an aggressive policy on endpoint protection platforms,
including firewalls and HIPS
– require laptop data encryption for any laptop used by an
employee who has access to sensitive data, regardless of patch
management capabilities
– enable network access control (NAC) to protect corporate IT
resources from compromised mobile devices.
• Networking equipment
– shield network equipment behind network IPS and firewalls.
– use change monitoring or IDS to detect breaches
BT Professional Services 13

14. When you can’t patch…..
• Windows/Unix/Linux servers and PoS
– deploy HIPS on difficult-to-patch servers.
– segment unpatchable systems behind network IPSs.
– use database application monitoring or IDS to detect breaches
BT Professional Services 14

15. Tools / standards / guides
• Microsoft security guides
– http://technet.microsoft.com/en-us/library/cc184906.aspx
• DISA Security Technical Implementation Guides
– http://iase.disa.mil/stigs/stig/index.html
• NIST Guide to General Server Security (SP 800-123)
– http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
• CIS Benchmark Assessment Tools
– http://www.cisecurity.org/en-us/?route=downloads.audittools
BT Professional Services 15

16. Recommendations
• Whenever possible, vulnerable software should be
patched ASAP
• When business realities dictate that this isn't possible
– all devices at least should be configured as securely as possible
to minimize attack apertures.
• Follow general security principles of enabling only the
required functions
– deny by default, allow by exception, etc.
• If not using the specific functions of a device,
– ensure that these options are disabled
• Ensure a formal app sec security program is in place
BT Professional Services 16

17. Contact info…
• Ben Rothke, CISSP CISA
• Senior Security Consultant
• BT Professional Services
•
• www.linkedin.com/in/benrothke
• www.twitter.com/benrothke
• www.slideshare.net/benrothke
BT Professional Services 17