Common patch management problems include lack of management report, unexpected failures, lack of mobile control, manual patching, compliance requirements, the need for a patch provider.
In order to avoid patch failures, organizations should have a strong security approach where they test patches before deploying to the network, prioritize them, and implement them well.
One the possible reasons for a failed patch could be compatibility issue to the existing software or applications in use. Also, weaknesses within the patch itself could be another reason for a failed patch.
After installing the patch and the system administrator fails to reboot the systems to effect the patch on the applications or software is yet another possibility.
Patches can affect the performance of hosts causing them “to freeze or do other damage”(Boyle and Panko, Section 7.3.4) It’s important to test patches prior to rolling them out to production. In addition, administrators should consider the tradeoffs between security and reduced functionality before applying the patch. In some cases, patches can make the system harder to use by addressing the vulnerability.
Scope and Timing: Scope is significant to define prior to vulnerability scanning because the goal is to be quick and conduct high-level assessment of vulnerabilities. The organization should decide what objects to scan to make sure it does not overlook essential networks and lose time or focus.
Approval: The organizations and IT teams often need support from executives for investments and tools used to protect hosts. To establish a top-down approach, it is crucial that the IT team request executive approval. Once vulnerability scanning is performed, and changes are identified as necessary to help the organization, executives will understand and support better.
Virtual host at the moment support communication through encrypted virtual private networks (vpn) and communications between virtual machines on a secure vpn tunnel are likely to be exposed to popular attacks. I feel Virtual host environment is still much more secure for now…but..things can change pretty fast with technology and algorithm complex attacks fast evolving.
Because Linux and Unix are more secure than other operating systems. Linus is rarely infected by malware such as viruses, and it is a very secure OS. Linux has clearly defined privilege at multiple levels, thereby restricting access with it’s is root-level access. In Linux, you can give lower levels of account with limited access to the user. Malware will not get root access to damaged systems.
Great points, Mohammed! Though Linux implementations can often be more secure than Windows, the windows interface and user tools are more user-friendly and familiar. This is one of the reasons that Windows is used in employee workstations more frequently.
It depends on how often you update from the repo, as well as the consideration that most viruses are developed for Windows based systems since there are more Windows users than Linux users. After scanning several systems for vulnerabilities that are UNIX based, I have found they are often unpatched and disregarded when disconnected from a repo. Because of this, they become littered with arbitrary code execution vulnerabilities and etc.
However, from a design level I would say it depends, UNIX is more secure due to it’s design philosophy if given in the right hands. Especially because UNIX/Linux is extremely compartmentalized, and allows you troubleshoot anything that is failing within the system. It’s also open-source and allows users/developers to interact more within the community. I think if it’s put in the right hands, Unix would have the edge over Windows. However, Windows has been pushing security updates and convenience where it really comes down to the end user to determine if security is compromised.
I would say that Linux/Unix are inherently more secure than Windows due to their target audience. Windows is designed to be very user friendly, hence being the most popular operating system in the world. Linux/Unix, on the other hand, are much more complicated operating systems. The lesser amount of users would play a large factor, as well.
If you are deploying a new server in your organization, you should follow up on information security rules, policies, and procedures because security should be carefully considered from the initial stage. Identify what your security needs are and how it impacts the foundation of the security policies. Figure out what you do to possibly protect your organization, and ensure the security of the server is up-to-date and supports your organization network.
Retroactively adding security measures is often significantly more expensive and less secure than considering security from the planning stages. Additionally, if security is considered from the initial planning stage and throughout all other stages, the team is less likely to miss smaller details that may affect security.
The strength of a password is determined by three things: the length of the character set used, the length of the password itself, and to a lesser extent, the variety in characters chosen. There are various free tools available online to check the strength of your password.
Hi Elizabeth,
I think that an auditor should look at the password policy to determine whether the policy is achieved the minimum requirements what NIST 800-53 about the complexity of password. After that, the auditor will define whether the constraint to set up a password that match to the policy . Then , the auditor provides sample test. However, the auditor should consider other factors such as how many time to allow to input wrong password and multi-factor authentication to protect data.
You can test the strength of passwords by using what is known as a dictionary attack. This is the process of checking the password against a list of commonly used passwords. Often if the password is simple enough it will be in one of these lists. Also you can test the strength by trying to brute force the password. If the password is short in length and does not contain a variety of characters then it will not take modern computers very long to crack.
A good tool for testing the strength of your password is the website passwordmonster.com. When inputting the name of my dog Jack, the password will take .01 seconds to crack, according to the website. It is widely recommended to use a much more complex password that doesn’t utilize common dictionary words, uses an assortment of uppercase & lower case letters, symbols, & numbers. Using the completely random password Fd6@4kOpL)4bZ[1 increases the cracking time to 188 billion years, according to the site.
Section 7.2 stated that the early versions, such as Window server NT, had poor security. The later version of Windows servers such as Windows servers 2016 and 2019 are much more secure. Windows 10 released Microsoft Edge a web browser, a virtual desktop system, and a desktop management feature called task view. It supports fingerprint, face recognition login and has security features for enterprise environments.
For my understanding about Window, I think that an auditor should start to scan remote desktop protocol. Then the auditor looks at firewall, firewall configuration, and DNS logs. Because the Window’s permission based on role/group, the auditor should review whether the permission set up correctly and group changes.
Hi Mike,
Please check this article from ISACA https://www.isaca.org/resources/isaca-journal/issues/2019/volume-3/practical-patch-management-and-mitigation
It will give you better explanation than me .
” The main problem with these types of agent solutions, apart from possible technical issues relating to performance and availability, is that many vendors do not allow an agent from a third party (e.g., a security vendor) to run on their system in parallel to their own applications. If an administrator installs an agent on a vendor system without vendor consent, then the vendor can easily blame any problem on the agent and effectively void any warranty or support clause. The enterprise can end up with a secure but unusable or unsupported system.”
The Pentasafe Security Technologies survey in chapter 7 of our book found that out of 15.000 employees in 600 organizations, fifty percent used the names of family members and thirty percent used the names of pop idols or sports heroes as their passwords. How would you convince the staff of your organization to use more random and secure passwords?
I would add this into the password policy, stating names are not able to be used in passwords. Sounds difficult but I would also create a list of names that the system would not accept in passwords. Brady, Lebron and Drake just to name a few would be denied.
Hi Joshua,
I agree with Corey that implementing backups and strong passwords are essential in hardening a system. However, I would not overlook the importance of using patch management tools to apply OS updates and patches automatically. In addition, application control event logs should be centrally stored and protected from unauthorized modification and deletion and monitored for signs of compromise. By configuring assets in line with security best practices, tools, and techniques, it will reduce its exposure to security vulnerabilities.
Here are two ways by which you can harden a system:
1.Operating System Hardening
Operating system (OS) hardening involves adding security features to your OS to make it more secure. While operating systems are secure by nature, hardening them makes them even more secure. OS hardening involves patching and applying advanced security measures to protect a server’s OS.
2. Network Hardening
Network devices that include SANs, routers, load balancers, and gateways, to name a few, are highly prone to cyberattacks, as they are most exposed to attack vectors. Network hardening refers to the usage of network protection techniques to protect the network from unauthorized users.
Windows has the ability to provide users/groups with full control, modify, read & execute, list folder contents, read, and write permissions while unix/linux OSs can provide users with only read, write, and execute permissions. Additionally, there is no limit to how many users and groups can be assigned to a particular directory in windows. However, in unix/linux, permissions can be applied to only three different entities including the owner, a single group, and everyone else.
The chapter tells use what shoulder surfing and what physical keyloggers are, Can anyone tell me what other types of password threats that are out there?
Hi Corey,
Other than shoulder surfing and physical keyloggers, the other password threat noted in the chapter was keystroke capture and password-stealing programs. Boyle and Panko define keystroke capture as a program that “steals passwords as the user types them in and sends the keystrokes to the attacker.” The attacker has two options – to mine the keystroke data for account names and passwords or present the user with a fake login screen and have them log in again to obtain the information.
How often would you recommend an administrator review user/group access to critical administrator functions such as production access to deploy changes in production? Should these types of access be reviewed on a more frequent basis than user/group access to an application with minimal user capabilities?
I think that in some cases, especially with smaller businesses/start-ups, security isn’t a main concern. Good security practices often aren’t seemingly needed for the business operations, so they are forgotten about or skipped over to use time/efforts elsewhere. Additionally, with smaller companies, there can be a sentiment of “That won’t happen to us. We aren’t a big enough target.” sometimes followed by ” That definitely won’t happen to us again. What are the chances?”
I agree with Amelia said that startup businesses are more focused on business development. And I think one of the reasons is the lack of staff training. Strong passwords are not just long passwords. For example, adding numbers to the password (password123456789), entering the password twice (passwordpassword), and using prefixes and suffixes (passworded & postpassword) can all be considered “strong passwords” by employees because these passwords are long and look very complex. However, it is actually very easy to crack passwords by hybrid dictionary attacks. Such password settings will increase the information security risk of the enterprise.
Yeah I definitely agree with both of you. In the case of small businesses/start-ups I guess security is one of the last concerns basically because there’s just so much more to worry about. It would probably be nearly impossible to ever convince a local sandwich shop that they should care about security. As far as complex passwords, its becoming more and more apparent that the “complex” requirements really do not make the password much more difficult to crack.
What are the common issues with patch management? Why do patches fail?
Common patch management problems include lack of management report, unexpected failures, lack of mobile control, manual patching, compliance requirements, the need for a patch provider.
In order to avoid patch failures, organizations should have a strong security approach where they test patches before deploying to the network, prioritize them, and implement them well.
One the possible reasons for a failed patch could be compatibility issue to the existing software or applications in use. Also, weaknesses within the patch itself could be another reason for a failed patch.
After installing the patch and the system administrator fails to reboot the systems to effect the patch on the applications or software is yet another possibility.
What are some of the risks that patches raise for firms?
Patches can affect the performance of hosts causing them “to freeze or do other damage”(Boyle and Panko, Section 7.3.4) It’s important to test patches prior to rolling them out to production. In addition, administrators should consider the tradeoffs between security and reduced functionality before applying the patch. In some cases, patches can make the system harder to use by addressing the vulnerability.
Why is it important that system administrators define the scope, timing, and receive approval prior to conducting a vulnerability scan?
Scope and Timing: Scope is significant to define prior to vulnerability scanning because the goal is to be quick and conduct high-level assessment of vulnerabilities. The organization should decide what objects to scan to make sure it does not overlook essential networks and lose time or focus.
Approval: The organizations and IT teams often need support from executives for investments and tools used to protect hosts. To establish a top-down approach, it is crucial that the IT team request executive approval. Once vulnerability scanning is performed, and changes are identified as necessary to help the organization, executives will understand and support better.
Will virtual hosts more secure?
Virtual host at the moment support communication through encrypted virtual private networks (vpn) and communications between virtual machines on a secure vpn tunnel are likely to be exposed to popular attacks. I feel Virtual host environment is still much more secure for now…but..things can change pretty fast with technology and algorithm complex attacks fast evolving.
Any thoughts and opinion about what it would be like to patch a virtual infrastructure from common attacks?
Does the use of Linux/Unix make a system inherently more secure than a system with Windows? Why or why not?
Because Linux and Unix are more secure than other operating systems. Linus is rarely infected by malware such as viruses, and it is a very secure OS. Linux has clearly defined privilege at multiple levels, thereby restricting access with it’s is root-level access. In Linux, you can give lower levels of account with limited access to the user. Malware will not get root access to damaged systems.
Great points, Mohammed! Though Linux implementations can often be more secure than Windows, the windows interface and user tools are more user-friendly and familiar. This is one of the reasons that Windows is used in employee workstations more frequently.
It depends on how often you update from the repo, as well as the consideration that most viruses are developed for Windows based systems since there are more Windows users than Linux users. After scanning several systems for vulnerabilities that are UNIX based, I have found they are often unpatched and disregarded when disconnected from a repo. Because of this, they become littered with arbitrary code execution vulnerabilities and etc.
However, from a design level I would say it depends, UNIX is more secure due to it’s design philosophy if given in the right hands. Especially because UNIX/Linux is extremely compartmentalized, and allows you troubleshoot anything that is failing within the system. It’s also open-source and allows users/developers to interact more within the community. I think if it’s put in the right hands, Unix would have the edge over Windows. However, Windows has been pushing security updates and convenience where it really comes down to the end user to determine if security is compromised.
I would say that Linux/Unix are inherently more secure than Windows due to their target audience. Windows is designed to be very user friendly, hence being the most popular operating system in the world. Linux/Unix, on the other hand, are much more complicated operating systems. The lesser amount of users would play a large factor, as well.
Why is it important that security be carefully considered from the initial planning stage of a new sever?
If you are deploying a new server in your organization, you should follow up on information security rules, policies, and procedures because security should be carefully considered from the initial stage. Identify what your security needs are and how it impacts the foundation of the security policies. Figure out what you do to possibly protect your organization, and ensure the security of the server is up-to-date and supports your organization network.
Retroactively adding security measures is often significantly more expensive and less secure than considering security from the planning stages. Additionally, if security is considered from the initial planning stage and throughout all other stages, the team is less likely to miss smaller details that may affect security.
How do you go about testing the strength of passwords?
The strength of a password is determined by three things: the length of the character set used, the length of the password itself, and to a lesser extent, the variety in characters chosen. There are various free tools available online to check the strength of your password.
Hi Elizabeth,
I think that an auditor should look at the password policy to determine whether the policy is achieved the minimum requirements what NIST 800-53 about the complexity of password. After that, the auditor will define whether the constraint to set up a password that match to the policy . Then , the auditor provides sample test. However, the auditor should consider other factors such as how many time to allow to input wrong password and multi-factor authentication to protect data.
You can test the strength of passwords by using what is known as a dictionary attack. This is the process of checking the password against a list of commonly used passwords. Often if the password is simple enough it will be in one of these lists. Also you can test the strength by trying to brute force the password. If the password is short in length and does not contain a variety of characters then it will not take modern computers very long to crack.
A good tool for testing the strength of your password is the website passwordmonster.com. When inputting the name of my dog Jack, the password will take .01 seconds to crack, according to the website. It is widely recommended to use a much more complex password that doesn’t utilize common dictionary words, uses an assortment of uppercase & lower case letters, symbols, & numbers. Using the completely random password Fd6@4kOpL)4bZ[1 increases the cracking time to 188 billion years, according to the site.
What security protections do recent versions of this operating system offer?
Section 7.2 stated that the early versions, such as Window server NT, had poor security. The later version of Windows servers such as Windows servers 2016 and 2019 are much more secure. Windows 10 released Microsoft Edge a web browser, a virtual desktop system, and a desktop management feature called task view. It supports fingerprint, face recognition login and has security features for enterprise environments.
How can you test for vulnerabilities with the windows server?
For my understanding about Window, I think that an auditor should start to scan remote desktop protocol. Then the auditor looks at firewall, firewall configuration, and DNS logs. Because the Window’s permission based on role/group, the auditor should review whether the permission set up correctly and group changes.
How can the organization assess the risk for information systems that cannot implement vendor security patches?
Hi Mike,
Please check this article from ISACA
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-3/practical-patch-management-and-mitigation
It will give you better explanation than me .
” The main problem with these types of agent solutions, apart from possible technical issues relating to performance and availability, is that many vendors do not allow an agent from a third party (e.g., a security vendor) to run on their system in parallel to their own applications. If an administrator installs an agent on a vendor system without vendor consent, then the vendor can easily blame any problem on the agent and effectively void any warranty or support clause. The enterprise can end up with a secure but unusable or unsupported system.”
The Pentasafe Security Technologies survey in chapter 7 of our book found that out of 15.000 employees in 600 organizations, fifty percent used the names of family members and thirty percent used the names of pop idols or sports heroes as their passwords. How would you convince the staff of your organization to use more random and secure passwords?
I would add this into the password policy, stating names are not able to be used in passwords. Sounds difficult but I would also create a list of names that the system would not accept in passwords. Brady, Lebron and Drake just to name a few would be denied.
Can you name at least two different ways to harden a system?
Use strong passwords/ strict password policies and setting up backups.
Hi Joshua,
I agree with Corey that implementing backups and strong passwords are essential in hardening a system. However, I would not overlook the importance of using patch management tools to apply OS updates and patches automatically. In addition, application control event logs should be centrally stored and protected from unauthorized modification and deletion and monitored for signs of compromise. By configuring assets in line with security best practices, tools, and techniques, it will reduce its exposure to security vulnerabilities.
Joshua,
Here are two ways by which you can harden a system:
1.Operating System Hardening
Operating system (OS) hardening involves adding security features to your OS to make it more secure. While operating systems are secure by nature, hardening them makes them even more secure. OS hardening involves patching and applying advanced security measures to protect a server’s OS.
2. Network Hardening
Network devices that include SANs, routers, load balancers, and gateways, to name a few, are highly prone to cyberattacks, as they are most exposed to attack vectors. Network hardening refers to the usage of network protection techniques to protect the network from unauthorized users.
How different are the permission management between Microsoft and Unix/Linux?
Windows has the ability to provide users/groups with full control, modify, read & execute, list folder contents, read, and write permissions while unix/linux OSs can provide users with only read, write, and execute permissions. Additionally, there is no limit to how many users and groups can be assigned to a particular directory in windows. However, in unix/linux, permissions can be applied to only three different entities including the owner, a single group, and everyone else.
The chapter tells use what shoulder surfing and what physical keyloggers are, Can anyone tell me what other types of password threats that are out there?
Hi Corey,
Other than shoulder surfing and physical keyloggers, the other password threat noted in the chapter was keystroke capture and password-stealing programs. Boyle and Panko define keystroke capture as a program that “steals passwords as the user types them in and sends the keystrokes to the attacker.” The attacker has two options – to mine the keystroke data for account names and passwords or present the user with a fake login screen and have them log in again to obtain the information.
How often would you recommend an administrator review user/group access to critical administrator functions such as production access to deploy changes in production? Should these types of access be reviewed on a more frequent basis than user/group access to an application with minimal user capabilities?
Why do some organizations still not enforce strong password policies given how easy they are to enforce and how effective they have proven to be?
I think that in some cases, especially with smaller businesses/start-ups, security isn’t a main concern. Good security practices often aren’t seemingly needed for the business operations, so they are forgotten about or skipped over to use time/efforts elsewhere. Additionally, with smaller companies, there can be a sentiment of “That won’t happen to us. We aren’t a big enough target.” sometimes followed by ” That definitely won’t happen to us again. What are the chances?”
I agree with Amelia said that startup businesses are more focused on business development. And I think one of the reasons is the lack of staff training. Strong passwords are not just long passwords. For example, adding numbers to the password (password123456789), entering the password twice (passwordpassword), and using prefixes and suffixes (passworded & postpassword) can all be considered “strong passwords” by employees because these passwords are long and look very complex. However, it is actually very easy to crack passwords by hybrid dictionary attacks. Such password settings will increase the information security risk of the enterprise.
Yeah I definitely agree with both of you. In the case of small businesses/start-ups I guess security is one of the last concerns basically because there’s just so much more to worry about. It would probably be nearly impossible to ever convince a local sandwich shop that they should care about security. As far as complex passwords, its becoming more and more apparent that the “complex” requirements really do not make the password much more difficult to crack.