Patch Auditing

Microsoft Patch Management Integration with Nessus - Part 1 WSUS

by Paul Asadoorian on December 16, 2011

This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.

WSUS Patch Management Integration

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.

Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:

  • Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.

  • WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
  • The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
  • Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

Patch Management Integration with Nessus Released

by Paul Asadoorian on December 6, 2011

Today, Tenable Network Security announced integration between Nessus and a variety of patch management systems that will simplify scanning in cases where credentialed scans are difficult or impossible. The integration allows Nessus and SecurityCenter users to establish direct links to patch management systems. This simplifies patch audits as the systems in your environment do not all have to contain credentials in order to be scanned.

The Unpatchables

by Jack Daniel on October 26, 2011

In a perfect world, there would be no vulnerabilities.  In a perfect patching world there would be a patch for every vulnerability and we would always be able to patch all of our systems as soon as a patch was available. In the real world we do the best we can and struggle with testing cycles, incompatibilities, and legacy applications which means sometimes we have to leave insecure and unpatched systems in production.

There are a variety of situations that can cause exposure:

  • Some patches break needed applications or cause compatibility problems
  • Patches may not yet be available for a vulnerability but the systems must stay online and exposed Legacy applications or operating systems may still be required (for example Internet Explorer 6 may be required to access a legacy web application, probably running on a legacy web server)
  • A maintenance window may not be immediately available when patches are released
  • Systems in development environments may be vulnerable during development and testing phases

Microsoft Patch Tuesday Roundup - June 2011

by Paul Asadoorian on June 15, 2011

Keeping Tabs On Patches

Let’s face it; we all have to deal with patches. Everyone from an IT systems administrator to your grandma has to face the challenges of patches. Whether you have a home computer that you use to browse the web, a phone that you occasionally check email from, or 10,000 enterprise desktops spread across three continents, you're dealing with patches. Regardless of your situation, you need to be able to answer two basic questions:

  • Which patches are missing?
  • Which patches have been successfully installed?

If you only have one computer in the house, it probably annoys you to some degree when it’s time to apply patches, indicating that you are in fact missing patches. This answers the first question above, but the operating systems themselves have few measures for success. There are many situations that cause patches to fail, or leave vulnerable software behind after an update, that can easily be missed by the average user. Your so-called "smart-phone" is even worse. Since most users do not connect their phones to their computers, or the carrier is blocking operating system updates, you may never be able to answer the first question (I guess that's one reason why RIM maintains a prominent presence in the enterprise, as they answer both questions very well with respect to Blackberry users in your environment). Never knowing that you even require patches to be installed is a big problem, as well as knowing if they even applied successfully.

A Much Larger Problem

Enterprises with 10,000 or more desktops exacerbate the problem of patch tracking. With so many devices that require patches, things are bound to go wrong! Lately I've been using dashboards in Tenable's SecurityCenter, and thanks to Tenable CEO/CTO Ron Gula, I have some interesting SecurityCenter 4.2 "dashboards" to help me track patches. Here's just one example:

patchtracking-sm.png
Click for larger image

Microsoft Patch Tuesday Roundup - April 2011

by Paul Asadoorian on April 13, 2011

It's very exciting (depending on your perspective) when there is a record-breaking Microsoft Patch Tuesday! April 2011 is the largest Patch Tuesday release in history, with 17 bulletins covering 64 different vulnerabilities across several products. While everyone is beating the "Microsoft Patch Tuesday Crisis Drum", attackers are continuing to have success breaking into major organizations using the "exploit du jour", some social engineering methods or a combination of both.

RallyToThePatch.jpg
Rally to patch your systems!

What I would like to suggest is a weekly, or even daily, "patch rally". Patching needs to be an ongoing process of checking to see if patches are available, applying the patches, and then verifying that the patches have been applied and installed properly. I don't think we need to "take time to stop and patch"; we just need to patch as a normal, everyday, regular business operation. It's sad that we have to install more software to fix broken software, but it has become the way of the IT world. If your business cannot sustain being patched, the you've probably chosen the wrong software and configurations and your business will likely be negatively affected. The negative effects happen in two ways: 1) you install the patches and your system and/or software fails as a result of a bug in either the software or the software patch or 2) you don't apply the patch and attackers compromise the system and ruin the integrity of the system and the data contained therein. So, hence my cry to "rally to the patch"!

Nessus: Mythbusters Edition

by Paul Asadoorian on January 20, 2011

I've recently been doing a bit of research into the history of Nessus. I discovered that the first version of Nessus was published in 1998, and any time software has been around for that long there are bound to be some myths and misconceptions that develop as fast as new features over the years. This post will explain some common myths and set the record straight.

BlowUpMyth.jpg

While we did not generate any large explosions for this post, I dove across the office, just because.

Microsoft Patch Tuesday Roundup - December 2010 - "Bad Santa" Edition

by Paul Asadoorian on December 15, 2010

MadSanta-SM.jpg

Attackers have been very naughty, IT departments have been mostly nice and Microsoft has fulfilled the role of “Bad Santa”. This holiday season, Microsoft has filled your stockings with 17 security bulletins fixing 40 vulnerabilities. But where does that leave us?

What Else Could You Say?

Note: The word "could" appears in the title of all 17 security bulletins this month

I could say a lot of things about this month's Microsoft Patch Tuesday release. I could say that you should apply patches (except that my boss hates the word “should”). I could say that despite all of the patches released, there are still most likely to be 0-day exploits for several unpublished vulnerabilities. I could also say that your organization needs a solid patch management program. I could say, well, you get the point. After more than a year of writing up each one of the Microsoft Security bulletins, there's a lot I could say. The fact remains that several trends continue in the Microsoft "Black Tuesday" madness:

The Three Legged Stool Of Vulnerability Management

by Paul Asadoorian on August 31, 2010

Don't Fall Off The Stool

When I developed the course "Advanced Vulnerability Scanning Techniques Using Nessus", I wanted to mention some of the trade-offs we make when we perform vulnerability scans using different configurations. Nessus creator Renaud Deraison helped point out that it seems to come down to three factors: speed, intrusiveness and comprehensiveness. What I found was that these three factors were extremely important throughout the duration of the class, and I realize that for vulnerability scanning and vulnerability management, these factors must be taken into consideration.

3leggedstool_sm.jpg
"Vulnerability scanning is a balance between speed, intrusiveness and comprehensiveness."

Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition

by Paul Asadoorian on August 12, 2010

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

parachute.jpg

Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"

by Paul Asadoorian on July 15, 2010

Which Vulnerabilities Are You Looking For?

When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:

In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.

ob1-mind.jpg

"These aren't the vulnerabilities you're looking for. You can go about your business."

Pages