Get the latest Microsoft Security Bulletin for October (inc. 6 Critical Patches)

  • Article

Get the latest security bulletin for October HERE.

Check out Microsoft's best practices recommendations for applying security updates HERE.

Sign up for monthly security bulletin notification HERE.

.....Here's something I blogged about last month but I think it might be of interest to you within the context of the above!

How to Assess Microsoft Security Patches
Notes from the Field: How to Assess Microsoft Security Patches

By John Ennis, Microsoft Ireland Technical Account Manager.

As a Microsoft Technical Account Manager, I work with many Irish customers to help them operate and secure their IT Operations, and of course questions around Security Patch Management is always high on the agenda.

Unfortunately, patches are a necessary evil for system administrators. All systems require security updates to some extent and managing them is a necessity. It is important that customers fully assess security vulnerabilities and the risk to their assets, and then apply a consistent framework for the application of the patches based on the company’s Information Security policy. The focus should be on reducing the overall security risk and not on how quickly a customer can apply a security patch.

To help you do this, I would like to share some simple Patch Management Processes that look at Risk Management, Patch Management SLA and how to assess Microsoft Security Bulletins.

Security Risk Management Guidelines

The Microsoft security risk management process defines risk management as the overall effort to manage risk to an acceptable level across the business. Risk assessment is defined as the process to identify and prioritise risks to the business.

In quantitative risk assessments, the goal is to try to calculate objective numeric values for each of the components gathered during the risk assessment and cost-benefit analysis. For example, you estimate the true value of each business asset in terms of what it would cost to replace it, what it would cost in terms of lost productivity, what it would cost in terms of brand reputation, and other direct and indirect business values.

Risk Statement

Impact x Probability = Risk

Risk is the probability of a vulnerability being exploited in the current environment, leading to a degree of loss of confidentiality, integrity or availability of an asset.

To help communicate the extent of impact and the degree of probability in the risk statement, the Microsoft security risk management process begins prioritising risk by using relative terms such as high, moderate and low.

Ranking identified risks in a consistent and repeatable process.

The Microsoft security risk management process defines the following three qualitative asset classes: high business impact (HBI), moderate business impact (MBI) and low business impact (LBI)

High Business Impact
Impact on the confidentiality, integrity or availability of these assets causes severe or catastrophic loss to the organisation. Impact may be expressed in raw financial terms or may reflect indirect loss or theft of financial instruments, organisation productivity, damage to reputation, or significant legal and regulatory liability.

Highly sensitive business material - Such as financial data and intellectual property
Assets subjected to specific regulatory requirements
Moderate Business Impact
Impact on the confidentiality, integrity or availability of these assets causes moderate loss to the organisation. Moderate loss does not constitute a severe or catastrophic impact but does disrupt normal organisational functions to the degree that proactive controls are necessary to minimise impact within this asset class.

Internal business information - Employee directory, purchase order data, network infrastructure designs, information on internal websites and data on internal file shares for internal business use only
Low Business Impact
Assets not falling into either the HBI or MBI are classified as LBI and have no formal protection requirements or additional controls beyond standard best practices for securing infrastructure.

Defining Threats and Vulnerabilities
Information on threats and vulnerabilities provides the technical evidence used to prioritise risks across an enterprise.

Estimating Asset Exposure
After the Risk Assessment Facilitator leads the discussion through asset, threat and vulnerability identification, the next task is to gather stakeholder estimates on the extent of the potential damage to the asset, regardless of the asset class definition. The extent of potential damage is defined as asset exposure.

For each category, assist stakeholders in placing estimates within the following three groups:

High exposure — Severe or complete loss of the asset
Moderate exposure — Limited or moderate loss
Low exposure — Minor or no loss

For the Rest of this blog click here .