Notes from the Field: How to Assess Microsoft Security Patches

By John Ennis, Microsoft Ireland Technical Account Manager.

As a Microsoft Technical Account Manager, I work with many Irish customers to help them operate and secure their IT Operations, and of course questions around Security Patch Management is always high on the agenda.

Especially so this month, when we release 10 security patches!

Unfortunately, patches are a necessary evil for system administrators. All systems require security updates to some extent and managing them is a necessity.  It is important that customers fully  assess security vulnerabilities and the risk to their assets, and then apply a consistent framework for the application of the patches based on the company’s Information Security policy. The focus should be on reducing the overall security risk and not on how quickly a customer can apply a security patch.

To help you do this, I would like to share some simple Patch Management Processes that look at Risk Management, Patch Management SLA and how to  assess Microsoft Security Bulletins.

Security Risk Management Guidelines

The Microsoft security risk management process defines risk management as the overall effort to manage risk to an acceptable level across the business. Risk assessment is defined as the process to identify and prioritise risks to the business.

In quantitative risk assessments, the goal is to try to calculate objective numeric values for each of the components gathered during the risk assessment and cost-benefit analysis. For example, you estimate the true value of each business asset in terms of what it would cost to replace it, what it would cost in terms of lost productivity, what it would cost in terms of brand reputation, and other direct and indirect business values.

Risk Statement

Impact x Probability = Risk

Risk is the probability of a vulnerability being exploited in the current environment, leading to a degree of loss of confidentiality, integrity or availability of an asset.

To help communicate the extent of impact and the degree of probability in the risk statement, the Microsoft security risk management process begins prioritising risk by using relative terms such as high, moderate and low.

Ranking identified risks in a consistent and repeatable process.

The Microsoft security risk management process defines the following three qualitative asset classes: high business impact (HBI), moderate business impact (MBI) and low business impact (LBI)

High Business Impact
Impact on the confidentiality, integrity or availability of these assets causes severe or catastrophic loss to the organisation. Impact may be expressed in raw financial terms or may reflect indirect loss or theft of financial instruments, organisation productivity, damage to reputation, or significant legal and regulatory liability.

• Highly sensitive business material - Such as financial data and intellectual property
• Assets subjected to specific regulatory requirements

Moderate Business Impact
Impact on the confidentiality, integrity or availability of these assets causes moderate loss to the organisation. Moderate loss does not constitute a severe or catastrophic impact but does disrupt normal organisational functions to the degree that proactive controls are necessary to minimise impact within this asset class.

• Internal business information - Employee directory, purchase order data, network infrastructure designs, information on internal websites and data on internal file shares for internal business use only

Low Business Impact
Assets not falling into either the HBI or MBI are classified as LBI and have no formal protection requirements or additional controls beyond standard best practices for securing infrastructure.

Defining Threats and Vulnerabilities
Information on threats and vulnerabilities provides the technical evidence used to prioritise risks across an enterprise.

Estimating Asset Exposure
After the Risk Assessment Facilitator leads the discussion through asset, threat and vulnerability identification, the next task is to gather stakeholder estimates on the extent of the potential damage to the asset, regardless of the asset class definition. The extent of potential damage is defined as asset exposure.

For each category, assist stakeholders in placing estimates within the following three groups:

• High exposure — Severe or complete loss of the asset
• Moderate exposure — Limited or moderate loss
• Low exposure — Minor or no loss

Ad-Hoc Security Vulnerability Assessment

This is an example of Patch Management Framework & SLA, and how you can assess the vulnerability.

1. Assess your Asset’s

a. High Business Impact (HBI)
b. Medium Business Impact (MBI)
c. Low Business Impact (LBI)

b. Probability of Threat (Server)
     i. Low – For example, local logon access required 
     ii. Medium – For example, email, phishing 
     iii. High – For example, Worm, DOS (network-borne attack scenario)

Security Vulnerability Risk Assessment Model 

3. Risk Management
a. When to patch (Vulnerability Risk * Asset Risk) 
     i. Service Level Agreements

          1. RED = Patch in 24 hours 
          2. Orange = Patch at weekend
          3. Green = Patch at next scheduled maintenance window

b. What are the alternative solutions? 
     i. Disable ports, services, etc

• RED = Patch all HBI servers. Patch Critical within 24 hours
• Orange = Patch MBI Important\Critical and LBI critical at the weekend maintenance window
• Green = Patch low\medium LBI and low at next maintenance window. For example, quarterly

Note: Of course it is critical to ensure that you test the patches as appropriate.

How to Assess Microsoft Security Bulletin

1. What is the severity level? (Critical, Important, Moderate) (Impact)
2. What software is affected? (Asset Risk) (Asset)
3. What is the Impact of the vulnerability? (For example, remote code execution or denial of service, etc) (Threat)
4. What is the vector of attack? (Email, web, network, etc) (Threat)
5. Is there a mitigating circumstance? (Local account required, need to open email with ActiveX attached, etc) (Threat)

Access more information on Microsoft Security Risk Management http://www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

Find out more about this month's Security Bulletins http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx

I've been playing around with Vista a lot as well as doing a lot of reading about it.  More and more I've come to realise that beyond any of the hype Windows Vista really represents a paradigm shift in the OS space.  It's similar to what Windows WinNT was to 3.x or DOS and Windows 3.x was to OS/2 Warp.  Vista and Windows XP are very different technically.  All the fundamentals have changed, memory, disk, network and underlying security. The kernel is mostly new, the network stack has been rewritten to support IP4/IP6 with toredo tunnelling support and the firewall is two-way with a new policy driven engine.  There are stacks of new Group Policies - literally 1000's using a new XML based framework of ADMX files.

Within that context I thought I'd point you to some of the latest videos which highlight in some depth the new features in Vista.  Just click on the video titles below to access them at your leisure.

Account Control: Running Windows Vista with Least Privilege

This session talks about the technology behind this change to Windows, including the isolation of Admin from Standard User code on the same desktop, the policy control in the enterprise, and how to write and deploy good Standard User applications.

Windows PowerShell: Next Generation Command Line Scripting

In this session, learn how PowerShell also serves as the foundation for our next generation of Admin GUIs so that everything you can do from the GUI you'll be able to do from the command line. You'll never view command line scripting the same way again.

Windows Vista Security Guide

This session includes live demonstrations of the tools and templates supplied with the Windows Vista Security Guide. Topics for this session include: development process for the guide; definition of security levels and target organizations; considerations to make before deploying security settings; specific guidance on securing the most important features of Windows Vista; deployment techniques and tips to reduce cost and improve reliability; and initial configuration control to ensure that Windows Vista starts and remains secure.

TechNet virtual labs are a great way to evaluate and test Microsoft's newest server products through a series of guided, hands-on labs which can be completed in 90 minutes or less. There online and FREE.

We've just added some new V-Labs for Windows Vista, Exchange Server 2007, 2007 Microsoft Office System (including the new UI improvements in Windows SharePoint Services 3.0).  This really is a great resource in that it enables you to try out these products without having to set them up on a test system.

You can try out these v-labs for yourself here.

This session will cover how Windows is better protected against malware attacks, better at removing infections, and better at limiting potential harm from malicious software. The main focus will be on our anti-malware technologies found in Windows Vista including an architecture overview of Windows Defender (formerly Windows AntiSpyware) and the Malicious Software Removal Tool (MSRT). Check out this video here.

This is a great one page article on how to set up a wireless network securely.

Thanks to Rob Atkinson's blog @ KnowledgeByte I found out that you can now download the TechNet Magazine for free from the following website.

These magazines really are a powerful resource for any technical people who work on Microsoft platforms.  The articles and the best practices presented could save you a lot of time and hassle.  There's some great content on how to best do disaster recovery, zero touch installations, monitoring security events with MOM.  I also read a very good special report on IT security in the May/June issue.

BTW: The files are in .chm format and I found that after downloading them I had to right click on the file name and go to properties and click on 'unblock' to be able to open the file.

This 75-minute session decrypts all aspects of GPOs. It explores the shotgun approach that the operating system uses to store GPOs, it shows you the methods to of tracking down failed replication of GPOs and the problems that arise from them as well as the tools you can use to track, discover, and troubleshoot GPO problems.

Troubleshooting Group Policy, On IT’s Showtime!

There are a number of critical patches in the Microsoft Security Bulletin that was published on August 8th.  For the full bulletin please click here.  However, I want to particularily draw your attention to the following update Microsoft Security Bulletin MS06-040 which resolves several vulnerabilities in the Server service that could allow remote code execution.  So my advise to you is to get patching ASAP!

If you are not receiving these security bulletins on a monthly basis you should sign up here to receive them.

Microsoft Convergence 2006 EMEA (6-8th November, Munich) is the first ever Microsoft Dynamics EMEA event, bringing customers, partners and industry experts together to share ideas and knowledge.  Microsoft Dynamics is our range of Supply Chain, CRM and Financial Management software solutions.

If your company is thinking about reviewing its current solution in these areas this is the one conference that you should go to!

You'll get to hear from top industry leaders including Bill Gates.

For more information on Convergence click here.  For more information on Microsoft Dynamics in Ireland click here.

Register here before 29 September 2006 to qualify for the Early Bird offer and save €200 off the full price (€1,175)

The System Center Virtual Machine Manager public beta announced by Bill Gates at WinHEC last Spring is now ready for download. The Virtual Machine Manager is an essential element of Microsoft’s broad virtualization strategy and brings essential management capabilities to the virtual data center.

You can learn more about the product and sign-up for the beta here: http://www.microsoft.com/systemcenter/scvmm/default.mspx