Common patch management problems include lack of management report, unexpected failures, lack of mobile control, manual patching, compliance requirements, the need for a patch provider.
In order to avoid patch failures, organizations should have a strong security approach where they test patches before deploying to the network, prioritize them, and implement them well.
One the possible reasons for a failed patch could be compatibility issue to the existing software or applications in use. Also, weaknesses within the patch itself could be another reason for a failed patch.
After installing the patch and the system administrator fails to reboot the systems to effect the patch on the applications or software is yet another possibility.
Patches can affect the performance of hosts causing them “to freeze or do other damage”(Boyle and Panko, Section 7.3.4) It’s important to test patches prior to rolling them out to production. In addition, administrators should consider the tradeoffs between security and reduced functionality before applying the patch. In some cases, patches can make the system harder to use by addressing the vulnerability.
Scope and Timing: Scope is significant to define prior to vulnerability scanning because the goal is to be quick and conduct high-level assessment of vulnerabilities. The organization should decide what objects to scan to make sure it does not overlook essential networks and lose time or focus.
Approval: The organizations and IT teams often need support from executives for investments and tools used to protect hosts. To establish a top-down approach, it is crucial that the IT team request executive approval. Once vulnerability scanning is performed, and changes are identified as necessary to help the organization, executives will understand and support better.
Virtual host at the moment support communication through encrypted virtual private networks (vpn) and communications between virtual machines on a secure vpn tunnel are likely to be exposed to popular attacks. I feel Virtual host environment is still much more secure for now…but..things can change pretty fast with technology and algorithm complex attacks fast evolving.
Because Linux and Unix are more secure than other operating systems. Linus is rarely infected by malware such as viruses, and it is a very secure OS. Linux has clearly defined privilege at multiple levels, thereby restricting access with it’s is root-level access. In Linux, you can give lower levels of account with limited access to the user. Malware will not get root access to damaged systems.
Great points, Mohammed! Though Linux implementations can often be more secure than Windows, the windows interface and user tools are more user-friendly and familiar. This is one of the reasons that Windows is used in employee workstations more frequently.
It depends on how often you update from the repo, as well as the consideration that most viruses are developed for Windows based systems since there are more Windows users than Linux users. After scanning several systems for vulnerabilities that are UNIX based, I have found they are often unpatched and disregarded when disconnected from a repo. Because of this, they become littered with arbitrary code execution vulnerabilities and etc.
However, from a design level I would say it depends, UNIX is more secure due to it’s design philosophy if given in the right hands. Especially because UNIX/Linux is extremely compartmentalized, and allows you troubleshoot anything that is failing within the system. It’s also open-source and allows users/developers to interact more within the community. I think if it’s put in the right hands, Unix would have the edge over Windows. However, Windows has been pushing security updates and convenience where it really comes down to the end user to determine if security is compromised.
I would say that Linux/Unix are inherently more secure than Windows due to their target audience. Windows is designed to be very user friendly, hence being the most popular operating system in the world. Linux/Unix, on the other hand, are much more complicated operating systems. The lesser amount of users would play a large factor, as well.
If you are deploying a new server in your organization, you should follow up on information security rules, policies, and procedures because security should be carefully considered from the initial stage. Identify what your security needs are and how it impacts the foundation of the security policies. Figure out what you do to possibly protect your organization, and ensure the security of the server is up-to-date and supports your organization network.
Retroactively adding security measures is often significantly more expensive and less secure than considering security from the planning stages. Additionally, if security is considered from the initial planning stage and throughout all other stages, the team is less likely to miss smaller details that may affect security.
The strength of a password is determined by three things: the length of the character set used, the length of the password itself, and to a lesser extent, the variety in characters chosen. There are various free tools available online to check the strength of your password.
Hi Elizabeth,
I think that an auditor should look at the password policy to determine whether the policy is achieved the minimum requirements what NIST 800-53 about the complexity of password. After that, the auditor will define whether the constraint to set up a password that match to the policy . Then , the auditor provides sample test. However, the auditor should consider other factors such as how many time to allow to input wrong password and multi-factor authentication to protect data.
You can test the strength of passwords by using what is known as a dictionary attack. This is the process of checking the password against a list of commonly used passwords. Often if the password is simple enough it will be in one of these lists. Also you can test the strength by trying to brute force the password. If the password is short in length and does not contain a variety of characters then it will not take modern computers very long to crack.
A good tool for testing the strength of your password is the website passwordmonster.com. When inputting the name of my dog Jack, the password will take .01 seconds to crack, according to the website. It is widely recommended to use a much more complex password that doesn’t utilize common dictionary words, uses an assortment of uppercase & lower case letters, symbols, & numbers. Using the completely random password Fd6@4kOpL)4bZ[1 increases the cracking time to 188 billion years, according to the site.
Section 7.2 stated that the early versions, such as Window server NT, had poor security. The later version of Windows servers such as Windows servers 2016 and 2019 are much more secure. Windows 10 released Microsoft Edge a web browser, a virtual desktop system, and a desktop management feature called task view. It supports fingerprint, face recognition login and has security features for enterprise environments.
For my understanding about Window, I think that an auditor should start to scan remote desktop protocol. Then the auditor looks at firewall, firewall configuration, and DNS logs. Because the Window’s permission based on role/group, the auditor should review whether the permission set up correctly and group changes.
Hi Mike,
Please check this article from ISACA https://www.isaca.org/resources/isaca-journal/issues/2019/volume-3/practical-patch-management-and-mitigation
It will give you better explanation than me .
” The main problem with these types of agent solutions, apart from possible technical issues relating to performance and availability, is that many vendors do not allow an agent from a third party (e.g., a security vendor) to run on their system in parallel to their own applications. If an administrator installs an agent on a vendor system without vendor consent, then the vendor can easily blame any problem on the agent and effectively void any warranty or support clause. The enterprise can end up with a secure but unusable or unsupported system.”
The Pentasafe Security Technologies survey in chapter 7 of our book found that out of 15.000 employees in 600 organizations, fifty percent used the names of family members and thirty percent used the names of pop idols or sports heroes as their passwords. How would you convince the staff of your organization to use more random and secure passwords?
I would add this into the password policy, stating names are not able to be used in passwords. Sounds difficult but I would also create a list of names that the system would not accept in passwords. Brady, Lebron and Drake just to name a few would be denied.
Hi Joshua,
I agree with Corey that implementing backups and strong passwords are essential in hardening a system. However, I would not overlook the importance of using patch management tools to apply OS updates and patches automatically. In addition, application control event logs should be centrally stored and protected from unauthorized modification and deletion and monitored for signs of compromise. By configuring assets in line with security best practices, tools, and techniques, it will reduce its exposure to security vulnerabilities.
Here are two ways by which you can harden a system:
1.Operating System Hardening
Operating system (OS) hardening involves adding security features to your OS to make it more secure. While operating systems are secure by nature, hardening them makes them even more secure. OS hardening involves patching and applying advanced security measures to protect a server’s OS.
2. Network Hardening
Network devices that include SANs, routers, load balancers, and gateways, to name a few, are highly prone to cyberattacks, as they are most exposed to attack vectors. Network hardening refers to the usage of network protection techniques to protect the network from unauthorized users.
Windows has the ability to provide users/groups with full control, modify, read & execute, list folder contents, read, and write permissions while unix/linux OSs can provide users with only read, write, and execute permissions. Additionally, there is no limit to how many users and groups can be assigned to a particular directory in windows. However, in unix/linux, permissions can be applied to only three different entities including the owner, a single group, and everyone else.
The chapter tells use what shoulder surfing and what physical keyloggers are, Can anyone tell me what other types of password threats that are out there?
Hi Corey,
Other than shoulder surfing and physical keyloggers, the other password threat noted in the chapter was keystroke capture and password-stealing programs. Boyle and Panko define keystroke capture as a program that “steals passwords as the user types them in and sends the keystrokes to the attacker.” The attacker has two options – to mine the keystroke data for account names and passwords or present the user with a fake login screen and have them log in again to obtain the information.
How often would you recommend an administrator review user/group access to critical administrator functions such as production access to deploy changes in production? Should these types of access be reviewed on a more frequent basis than user/group access to an application with minimal user capabilities?
I think that in some cases, especially with smaller businesses/start-ups, security isn’t a main concern. Good security practices often aren’t seemingly needed for the business operations, so they are forgotten about or skipped over to use time/efforts elsewhere. Additionally, with smaller companies, there can be a sentiment of “That won’t happen to us. We aren’t a big enough target.” sometimes followed by ” That definitely won’t happen to us again. What are the chances?”
I agree with Amelia said that startup businesses are more focused on business development. And I think one of the reasons is the lack of staff training. Strong passwords are not just long passwords. For example, adding numbers to the password (password123456789), entering the password twice (passwordpassword), and using prefixes and suffixes (passworded & postpassword) can all be considered “strong passwords” by employees because these passwords are long and look very complex. However, it is actually very easy to crack passwords by hybrid dictionary attacks. Such password settings will increase the information security risk of the enterprise.
Yeah I definitely agree with both of you. In the case of small businesses/start-ups I guess security is one of the last concerns basically because there’s just so much more to worry about. It would probably be nearly impossible to ever convince a local sandwich shop that they should care about security. As far as complex passwords, its becoming more and more apparent that the “complex” requirements really do not make the password much more difficult to crack.
Ornella Rhyne says
What are the common issues with patch management? Why do patches fail?
Miray Bolukbasi says
Common patch management problems include lack of management report, unexpected failures, lack of mobile control, manual patching, compliance requirements, the need for a patch provider.
In order to avoid patch failures, organizations should have a strong security approach where they test patches before deploying to the network, prioritize them, and implement them well.
Oluwaseun Soyomokun says
One the possible reasons for a failed patch could be compatibility issue to the existing software or applications in use. Also, weaknesses within the patch itself could be another reason for a failed patch.
After installing the patch and the system administrator fails to reboot the systems to effect the patch on the applications or software is yet another possibility.
Miray Bolukbasi says
What are some of the risks that patches raise for firms?
Matthew Bryan says
Patches can affect the performance of hosts causing them “to freeze or do other damage”(Boyle and Panko, Section 7.3.4) It’s important to test patches prior to rolling them out to production. In addition, administrators should consider the tradeoffs between security and reduced functionality before applying the patch. In some cases, patches can make the system harder to use by addressing the vulnerability.
Matthew Bryan says
Why is it important that system administrators define the scope, timing, and receive approval prior to conducting a vulnerability scan?
Miray Bolukbasi says
Scope and Timing: Scope is significant to define prior to vulnerability scanning because the goal is to be quick and conduct high-level assessment of vulnerabilities. The organization should decide what objects to scan to make sure it does not overlook essential networks and lose time or focus.
Approval: The organizations and IT teams often need support from executives for investments and tools used to protect hosts. To establish a top-down approach, it is crucial that the IT team request executive approval. Once vulnerability scanning is performed, and changes are identified as necessary to help the organization, executives will understand and support better.
Yangyuan Lin says
Will virtual hosts more secure?
Oluwaseun Soyomokun says
Virtual host at the moment support communication through encrypted virtual private networks (vpn) and communications between virtual machines on a secure vpn tunnel are likely to be exposed to popular attacks. I feel Virtual host environment is still much more secure for now…but..things can change pretty fast with technology and algorithm complex attacks fast evolving.
Oluwaseun Soyomokun says
Any thoughts and opinion about what it would be like to patch a virtual infrastructure from common attacks?
Ryan Trapp says
Does the use of Linux/Unix make a system inherently more secure than a system with Windows? Why or why not?
Mohammed Syed says
Because Linux and Unix are more secure than other operating systems. Linus is rarely infected by malware such as viruses, and it is a very secure OS. Linux has clearly defined privilege at multiple levels, thereby restricting access with it’s is root-level access. In Linux, you can give lower levels of account with limited access to the user. Malware will not get root access to damaged systems.
Amelia Safirstein says
Great points, Mohammed! Though Linux implementations can often be more secure than Windows, the windows interface and user tools are more user-friendly and familiar. This is one of the reasons that Windows is used in employee workstations more frequently.
Michael Duffy says
It depends on how often you update from the repo, as well as the consideration that most viruses are developed for Windows based systems since there are more Windows users than Linux users. After scanning several systems for vulnerabilities that are UNIX based, I have found they are often unpatched and disregarded when disconnected from a repo. Because of this, they become littered with arbitrary code execution vulnerabilities and etc.
However, from a design level I would say it depends, UNIX is more secure due to it’s design philosophy if given in the right hands. Especially because UNIX/Linux is extremely compartmentalized, and allows you troubleshoot anything that is failing within the system. It’s also open-source and allows users/developers to interact more within the community. I think if it’s put in the right hands, Unix would have the edge over Windows. However, Windows has been pushing security updates and convenience where it really comes down to the end user to determine if security is compromised.
Alexander William Knoll says
I would say that Linux/Unix are inherently more secure than Windows due to their target audience. Windows is designed to be very user friendly, hence being the most popular operating system in the world. Linux/Unix, on the other hand, are much more complicated operating systems. The lesser amount of users would play a large factor, as well.
Jason Burwell says
Why is it important that security be carefully considered from the initial planning stage of a new sever?
Mohammed Syed says
If you are deploying a new server in your organization, you should follow up on information security rules, policies, and procedures because security should be carefully considered from the initial stage. Identify what your security needs are and how it impacts the foundation of the security policies. Figure out what you do to possibly protect your organization, and ensure the security of the server is up-to-date and supports your organization network.
Amelia Safirstein says
Retroactively adding security measures is often significantly more expensive and less secure than considering security from the planning stages. Additionally, if security is considered from the initial planning stage and throughout all other stages, the team is less likely to miss smaller details that may affect security.
Elizabeth Gutierrez says
How do you go about testing the strength of passwords?
Shubham Patil says
The strength of a password is determined by three things: the length of the character set used, the length of the password itself, and to a lesser extent, the variety in characters chosen. There are various free tools available online to check the strength of your password.
Hang Nu Song Nguyen says
Hi Elizabeth,
I think that an auditor should look at the password policy to determine whether the policy is achieved the minimum requirements what NIST 800-53 about the complexity of password. After that, the auditor will define whether the constraint to set up a password that match to the policy . Then , the auditor provides sample test. However, the auditor should consider other factors such as how many time to allow to input wrong password and multi-factor authentication to protect data.
Ryan Trapp says
You can test the strength of passwords by using what is known as a dictionary attack. This is the process of checking the password against a list of commonly used passwords. Often if the password is simple enough it will be in one of these lists. Also you can test the strength by trying to brute force the password. If the password is short in length and does not contain a variety of characters then it will not take modern computers very long to crack.
Alexander William Knoll says
A good tool for testing the strength of your password is the website passwordmonster.com. When inputting the name of my dog Jack, the password will take .01 seconds to crack, according to the website. It is widely recommended to use a much more complex password that doesn’t utilize common dictionary words, uses an assortment of uppercase & lower case letters, symbols, & numbers. Using the completely random password Fd6@4kOpL)4bZ[1 increases the cracking time to 188 billion years, according to the site.
Shubham Patil says
What security protections do recent versions of this operating system offer?
Mohammed Syed says
Section 7.2 stated that the early versions, such as Window server NT, had poor security. The later version of Windows servers such as Windows servers 2016 and 2019 are much more secure. Windows 10 released Microsoft Edge a web browser, a virtual desktop system, and a desktop management feature called task view. It supports fingerprint, face recognition login and has security features for enterprise environments.
Mohammed Syed says
How can you test for vulnerabilities with the windows server?
Hang Nu Song Nguyen says
For my understanding about Window, I think that an auditor should start to scan remote desktop protocol. Then the auditor looks at firewall, firewall configuration, and DNS logs. Because the Window’s permission based on role/group, the auditor should review whether the permission set up correctly and group changes.
Michael Duffy says
How can the organization assess the risk for information systems that cannot implement vendor security patches?
Hang Nu Song Nguyen says
Hi Mike,
Please check this article from ISACA
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-3/practical-patch-management-and-mitigation
It will give you better explanation than me .
” The main problem with these types of agent solutions, apart from possible technical issues relating to performance and availability, is that many vendors do not allow an agent from a third party (e.g., a security vendor) to run on their system in parallel to their own applications. If an administrator installs an agent on a vendor system without vendor consent, then the vendor can easily blame any problem on the agent and effectively void any warranty or support clause. The enterprise can end up with a secure but unusable or unsupported system.”
Amelia Safirstein says
The Pentasafe Security Technologies survey in chapter 7 of our book found that out of 15.000 employees in 600 organizations, fifty percent used the names of family members and thirty percent used the names of pop idols or sports heroes as their passwords. How would you convince the staff of your organization to use more random and secure passwords?
Corey Arana says
I would add this into the password policy, stating names are not able to be used in passwords. Sounds difficult but I would also create a list of names that the system would not accept in passwords. Brady, Lebron and Drake just to name a few would be denied.
Joshua Moses says
Can you name at least two different ways to harden a system?
Corey Arana says
Use strong passwords/ strict password policies and setting up backups.
Elizabeth Gutierrez says
Hi Joshua,
I agree with Corey that implementing backups and strong passwords are essential in hardening a system. However, I would not overlook the importance of using patch management tools to apply OS updates and patches automatically. In addition, application control event logs should be centrally stored and protected from unauthorized modification and deletion and monitored for signs of compromise. By configuring assets in line with security best practices, tools, and techniques, it will reduce its exposure to security vulnerabilities.
Shubham Patil says
Joshua,
Here are two ways by which you can harden a system:
1.Operating System Hardening
Operating system (OS) hardening involves adding security features to your OS to make it more secure. While operating systems are secure by nature, hardening them makes them even more secure. OS hardening involves patching and applying advanced security measures to protect a server’s OS.
2. Network Hardening
Network devices that include SANs, routers, load balancers, and gateways, to name a few, are highly prone to cyberattacks, as they are most exposed to attack vectors. Network hardening refers to the usage of network protection techniques to protect the network from unauthorized users.
Hang Nu Song Nguyen says
How different are the permission management between Microsoft and Unix/Linux?
Bryan Garrahan says
Windows has the ability to provide users/groups with full control, modify, read & execute, list folder contents, read, and write permissions while unix/linux OSs can provide users with only read, write, and execute permissions. Additionally, there is no limit to how many users and groups can be assigned to a particular directory in windows. However, in unix/linux, permissions can be applied to only three different entities including the owner, a single group, and everyone else.
Corey Arana says
The chapter tells use what shoulder surfing and what physical keyloggers are, Can anyone tell me what other types of password threats that are out there?
Elizabeth Gutierrez says
Hi Corey,
Other than shoulder surfing and physical keyloggers, the other password threat noted in the chapter was keystroke capture and password-stealing programs. Boyle and Panko define keystroke capture as a program that “steals passwords as the user types them in and sends the keystrokes to the attacker.” The attacker has two options – to mine the keystroke data for account names and passwords or present the user with a fake login screen and have them log in again to obtain the information.
Bryan Garrahan says
How often would you recommend an administrator review user/group access to critical administrator functions such as production access to deploy changes in production? Should these types of access be reviewed on a more frequent basis than user/group access to an application with minimal user capabilities?
Alexander William Knoll says
Why do some organizations still not enforce strong password policies given how easy they are to enforce and how effective they have proven to be?
Amelia Safirstein says
I think that in some cases, especially with smaller businesses/start-ups, security isn’t a main concern. Good security practices often aren’t seemingly needed for the business operations, so they are forgotten about or skipped over to use time/efforts elsewhere. Additionally, with smaller companies, there can be a sentiment of “That won’t happen to us. We aren’t a big enough target.” sometimes followed by ” That definitely won’t happen to us again. What are the chances?”
Yangyuan Lin says
I agree with Amelia said that startup businesses are more focused on business development. And I think one of the reasons is the lack of staff training. Strong passwords are not just long passwords. For example, adding numbers to the password (password123456789), entering the password twice (passwordpassword), and using prefixes and suffixes (passworded & postpassword) can all be considered “strong passwords” by employees because these passwords are long and look very complex. However, it is actually very easy to crack passwords by hybrid dictionary attacks. Such password settings will increase the information security risk of the enterprise.
Alexander William Knoll says
Yeah I definitely agree with both of you. In the case of small businesses/start-ups I guess security is one of the last concerns basically because there’s just so much more to worry about. It would probably be nearly impossible to ever convince a local sandwich shop that they should care about security. As far as complex passwords, its becoming more and more apparent that the “complex” requirements really do not make the password much more difficult to crack.