In our previous article Protecting Enterprise & SMB Networks From Exploits, Hacking & Attacks By Correctly Patching Systems - Part 1, we analysed the implications of unpatched systems and how hackers use these weaknesses to gain access to data and sensitive financial information. Included in the analysis were two major companies, eBay and a number of famous P.F. Chang's chain of restaurants. We then provided some rules IT Departments, Managers and Administrators should follow in order to secure their systems at the best possible level.
This article continues with a number of important tips to further enhance the security of your company systems and how tools can be used to scan, identify, patch and automate the whole process of protecting your systems.
Tips To Enhance The System Security Patching Process (Continued)
Set Your Priorities
Not all computers in the organization need to be patched at the same time. Some computers are more likely to be attacked because they are interface facing. Systems handling e-commerce such as point-of-sales machines and servers holding the customer database are usually more vulnerable to attack. Therefore, prioritize the patching process so that the most critical systems are serviced before others are.
Standardize Your Configurations
If you use many tools and software programs, you will need to track and install several patches. Standardizing your configuration allows all systems to use the same operating system and tools. That results in easier maintenance and tracking of patches and service pack levels. If possible, lock down the configuration - this can easily be achieved in a Windows environment with the usage of Active Directory Group Policies. Enforcing Group Policies ensures users are not able to make any system configuration changes and all security polices are enforced correctly.
Plan Your Patches
Not all patches that the vendors release need to be installed. Actually, this depends on the criticality of the vulnerability that the patch fixes. If the patch fixes a critical vulnerability in a system that faces the maximum threat, install it immediately. For minor patches, the decision whether to install can be taken after an analysis of a what-if scenario in case the hole is left unpatched.
Using an automated multi-platform patching tool is highly recommended - it installs all the important patches after testing them.
Report Your Actions & Analyze
Once you have installed the patches, the post-patch work begins. It starts with a report of what was installed and how many vulnerable systems were fixed. Acceptance testing comes next, to determine if the patch installation was done the right way and there are no conflicts.
You must also test your system to see if the vulnerability has really been addressed. If the system still remains vulnerable, you may have to reinstall the patch or roll it back. A patch management tool makes the task simpler.
Test Your Systems Seriously
Testing a patch for effectiveness and conflicts is very important in maintaining a running business process. A patch that trashes a stable system because of conflicts can do a lot of harm. You can use third parties for testing the patches before you install them. However, even if successfully tested by others, it is advisable to test the patch in-house before installation, especially if system uptime is important to your business.
For in-house testing, virtualization helps as it provides a contained arena isolated from your actual production systems. In case of a virtualized environment a reliable backup tool is very important to ensure the prevention of data loss. You could also try out a controlled rollout on less critical systems to see how the patch functions before installing on the entire network.
Patch Your Systems Continually
Your IT team cannot rest if it has once patched the systems successfully. New vulnerabilities are discovered and the vendor releases further patches. Moreover, you may have deployed new tools. Therefore, the entire process of inventorying your assets, looking for patches and installing them is a continuous process along with conducting a vulnerability assessment of your network.
How An Automated Patch Management System Helps
In an organization, the IT team needs to manage and monitor all assets effectively, efficiently and with complete transparency. They must ensure that all assets of the company perform at their peak efficiency while remaining safeguarded from attacks on their vulnerabilities. When examining the internal security of a network, the IT team looks at the overall scenario for:
- Any unauthorized machine on the network
- Any machine that does not have the required security patches installed
- Any machine that does not have the necessary security set
An automated patch management system provides a consolidated platform for the IT team from where they can remotely manage the performance of the network and the software deployed while controlling the security of all the assets of the company.
Scanning Your Network Internally
LanGuard Network Security Scanner begins by scanning the entire network defined by a range of IP addresses. It is also possible to scan a list of computers or those under a specific domain. When scanned with null credentials, it generates a baseline scan giving you an idea of what any normal user would have access to. Apart from null credentials, you can set scanning credentials as a specific user or as the currently logged on user. Scanning with the full administrative access will provide complete details about any missing security patches and other vulnerabilities such as weak passwords used on shares.
While scanning, LanGuard Network Security Scanner displays its results in two panes. On the left are the nodes it has discovered and on the right is the real-time log of its activities. Each node on the left can be expanded to show the information LanGuard Network Security Scanner has gathered. The easy-to-read display shows the sorted results of SNMP queries, NetBIOS queries, ping sweeps and port scans, with which LanGuard has probed each IP in the range. If the number of IPs to be scanned is high, LanGuard indicates the progress in the lower-right corner of the screen.
Analyzing Your Results
After LanGuard has completed its scanning, you can analyze the results displayed. For a large list of IP addresses, the results are easier to read when you display them in a convenient report format. Choose from the several reporting options – you can also customize the report layout and content. You may also use the separate report generator tool.
The LanGuard report highlights all the known vulnerabilities and provides links to resources related to each problem. It lists all open ports and mentions problems with the service that the port provides. By default, LanGuard scans only a few ports notorious for their vulnerabilities. However, you can manually add more ports that you want LanGuard to scan.
Scanning Your Network Externally
You can also use LanGuard to access your network externally from a PC connected to the Internet. Select your public IP range and scan your network with null credentials. LanGuard will scan the ports of any IP addresses that do not respond to other queries and will expose any open ports that the firewalls and routers in the path have not blocked. You can set up different scanning configurations for LanGuard and save them for later recall.
Set Your Scanning Options
You need to adjust different settings when scanning LAN, WAN or MAN. The time to complete the scan depends on these settings. For example, with the Debug settings, you can control how much information LanGuard displays on its right pane; adjusting the settings in the SNMP section, you can control how LanGuard probes using SNMP.
There may be computers on the network that essentially block NetBIOS, ICMP and SNMP packets. LanGuard tackles such non-responsive machines by scanning their ports, provided you have enabled this option. However, this increases the scan time greatly.
Detect Missing Fixes & Security Patches
To keep itself current on the missing patches, LanGuard uses an XML file, which you can automatically download from Microsoft's Web Site. If you are using the registered version of LanGuard, you can deploy the missing patches remotely.
Document Your Activity
The registered version of LanGuard has a great tool for documenting your network. Configure it for a standard report output and list specific information about your network. Next time you scan, you can compare the reports to document the difference.
The report generator is a separate tool within LanGuard. You can use it to query the XML report files and create a custom report, which is a combination of multiple queries.
For any organization, the process of managing the inventory of assets, gathering information about vulnerabilities and then systematically patching them to protect from attacks, is a formidable task. Fortunately, automated tools for patch management make life easier for corporate IT teams. By automating much of the repetitive work, these tools allow IT to focus their expertise and knowledge where it benefits the company most – strengthening its cyber security.