Notes from the Field: How to Assess Microsoft Security Patches
By John Ennis, Microsoft Ireland Technical Account Manager.
As a Microsoft Technical Account Manager, I work with many Irish customers to help them operate and secure their IT Operations, and of course questions around Security Patch Management is always high on the agenda.
Especially so this month, when we release 10 security patches!
Unfortunately, patches are a necessary evil for system administrators. All systems require security updates to some extent and managing them is a necessity. It is important that customers fully assess security vulnerabilities and the risk to their assets, and then apply a consistent framework for the application of the patches based on the company’s Information Security policy. The focus should be on reducing the overall security risk and not on how quickly a customer can apply a security patch.
To help you do this, I would like to share some simple Patch Management Processes that look at Risk Management, Patch Management SLA and how to assess Microsoft Security Bulletins.
Security Risk Management Guidelines
The Microsoft security risk management process defines risk management as the overall effort to manage risk to an acceptable level across the business. Risk assessment is defined as the process to identify and prioritise risks to the business.
In quantitative risk assessments, the goal is to try to calculate objective numeric values for each of the components gathered during the risk assessment and cost-benefit analysis. For example, you estimate the true value of each business asset in terms of what it would cost to replace it, what it would cost in terms of lost productivity, what it would cost in terms of brand reputation, and other direct and indirect business values.
Impact x Probability = Risk
Risk is the probability of a vulnerability being exploited in the current environment, leading to a degree of loss of confidentiality, integrity or availability of an asset.
To help communicate the extent of impact and the degree of probability in the risk statement, the Microsoft security risk management process begins prioritising risk by using relative terms such as high, moderate and low.
Ranking identified risks in a consistent and repeatable process.
The Microsoft security risk management process defines the following three qualitative asset classes: high business impact (HBI), moderate business impact (MBI) and low business impact (LBI)
High Business Impact
Impact on the confidentiality, integrity or availability of these assets causes severe or catastrophic loss to the organisation. Impact may be expressed in raw financial terms or may reflect indirect loss or theft of financial instruments, organisation productivity, damage to reputation, or significant legal and regulatory liability.
- Highly sensitive business material - Such as financial data and intellectual property
- Assets subjected to specific regulatory requirements
Moderate Business Impact
Impact on the confidentiality, integrity or availability of these assets causes moderate loss to the organisation. Moderate loss does not constitute a severe or catastrophic impact but does disrupt normal organisational functions to the degree that proactive controls are necessary to minimise impact within this asset class.
- Internal business information - Employee directory, purchase order data, network infrastructure designs, information on internal websites and data on internal file shares for internal business use only
Low Business Impact
Assets not falling into either the HBI or MBI are classified as LBI and have no formal protection requirements or additional controls beyond standard best practices for securing infrastructure.
Defining Threats and Vulnerabilities
Information on threats and vulnerabilities provides the technical evidence used to prioritise risks across an enterprise.
Estimating Asset Exposure
After the Risk Assessment Facilitator leads the discussion through asset, threat and vulnerability identification, the next task is to gather stakeholder estimates on the extent of the potential damage to the asset, regardless of the asset class definition. The extent of potential damage is defined as asset exposure.
For each category, assist stakeholders in placing estimates within the following three groups:
- High exposure — Severe or complete loss of the asset
- Moderate exposure — Limited or moderate loss
- Low exposure — Minor or no loss
Ad-Hoc Security Vulnerability Assessment
This is an example of Patch Management Framework & SLA, and how you can assess the vulnerability.
1. Assess your Asset’s
a. High Business Impact (HBI)
b. Medium Business Impact (MBI)
c. Low Business Impact (LBI)
2. Assess the Risk (Impact x Threat)
a. Severity of Impact if system compromised
i. Use Microsoft vulnerability ratings = critical, important, moderate, low
b. Probability of Threat (Server)
i. Low – For example, local logon access required
ii. Medium – For example, email, phishing
iii. High – For example, Worm, DOS (network-borne attack scenario)
Security Vulnerability Risk Assessment Model Important (High Risk\Low Threat) Critical (High Risk\High Threat) Low (Low Risk\Low Threat) Important (Low Risk\Low Threat)
Important (High Risk\Low Threat)
Critical (High Risk\High Threat)
Low (Low Risk\Low Threat)
Important (Low Risk\Low Threat)
3. Risk Management
a. When to patch (Vulnerability Risk * Asset Risk)
i. Service Level Agreements
1. RED = Patch in 24 hours
2. Orange = Patch at weekend
3. Green = Patch at next scheduled maintenance window
b. What are the alternative solutions?
i. Disable ports, services, etc
Low Important Critical HBI 48 Hours 24 Hours 8 Hours MBI Next service Window Weekend 24 Hours LBI Next service Window Next service Window Weekend
Next service Window
Next service Window
Next service Window
• RED = Patch all HBI servers. Patch Critical within 24 hours
• Orange = Patch MBI Important\Critical and LBI critical at the weekend maintenance window
• Green = Patch low\medium LBI and low at next maintenance window. For example, quarterly
Note: Of course it is critical to ensure that you test the patches as appropriate.
How to Assess Microsoft Security Bulletin
1. What is the severity level? (Critical, Important, Moderate) (Impact)
2. What software is affected? (Asset Risk) (Asset)
3. What is the Impact of the vulnerability? (For example, remote code execution or denial of service, etc) (Threat)
4. What is the vector of attack? (Email, web, network, etc) (Threat)
5. Is there a mitigating circumstance? (Local account required, need to open email with ActiveX attached, etc) (Threat)
Access more information on Microsoft Security Risk Management http://www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx
Find out more about this month's Security Bulletins http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx