Sensitive Data is More than "Important"
All but one of this month's Microsoft Patch Tuesday updates relates to Microsoft Office applications and/or Windows components that handle documents (such as RTF, TXT, and Word Document files as described in MS11-071). The three Office-related bulletins are listed as "important" on the Microsoft site, despite the fact that they allow for remote code execution. Another bulletin, MS11-074, announces issues with Microsoft's SharePoint, a server application for sharing information and managing documents.
While I don't recommend completely ignoring Microsoft's risk categories, developing your own metrics for risk classification can go a long way to improving your defenses and patch management programs. Vulnerabilities that target Microsoft Office users who have access to sensitive data are a higher priority to patch. It’s critical to know where sensitive data lies so that you can identify if the data is at risk from these vulnerabilities. SecurityCenter's management and Nessus's auditing capabilities provide you with valuable information to identify where sensitive data resides in your network and help you prioritize your patch schedule.
For example, Nessus can perform a variety of content checks to look for credit card, financial, personal, copyrighted and other types of sensitive data. The dashboard below summarizes a variety of different types of sensitive data audits:
One of the things I like best about the dashboard shown above (which can be downloaded from this entry on the SecurityCenter Dashboard Site) is that you can overlay other types of results, such as the systems that contain vulnerabilities for which an exploit exists. If I had to prioritize a patch rollout, I might start with systems that have access to sensitive data and also have vulnerabilities that can be easily exploited.
To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:
- MS11-071 - Nessus Plugin ID 56174 (Credentialed Check)
- MS11-072 - Nessus Plugin ID 56175 (Credentialed Check)
- MS11-073 - Nessus Plugin ID 56176 (Credentialed Check)
- MS11-074 - Nessus Plugin ID 56177 (Credentialed Check)
- Microsoft Security Bulletin Summary for September 2011
- OSVDB Microsoft Bulletins - Complete Reference
- More on DigiNotar Certificates, and September Bulletins(Microsoft Security Response Center Blog)