RE: When is a Security patch not a patch?

[<jay.tomas () infosecguru com>]

List,

The issue is that Mark is seen  as the IT security dude. This sounds more operational which is why management/ sys 
admins are probably confused with his role. My guess is that he tinker's around (perhaps too much)on the technology 
side with metasploit and all the 'fun' activities we all do so stay intrigued with security.

Better defining the role as 'IT Risk' who maintains compliance and governance over patching and other threat and 
vulnerability management will help. Operational sys admins would understand they are responsible for BAU upkeep of 
their infrastructure, security or otherwise.

Another leverage is to explain/ present the issue of segregation of duties. One party needs to patch the system, 
another independent party needs to verify and validate its implementation.

These detective controls with supporting reporting can be presented to management. We have all been conditioned from 
birth RED = BAD, GREEN = GOOD. Circulate a report of all your assets with MSxx-0xx -UNPATCHED RED - Susceptable to 
Remote Compromise, see how quickly management , then in turn sys admins remediate the exposure.

Jay
----- Original Message -----
From: Justin Nordine [mailto:jnordine () mta-telco com]
To: mdisley () host igs net,saltynetguru () infosec-rusch com
Cc: security-basics () securityfocus com
Sent: Tue, 6 Mar 2007 10:25:53 -0900
Subject: RE: When is a Security patch not a patch?

I would be curious to see some other organizations Patch Management
Policies if anyone wouldn't mind sending me a copy of theirs.  We are
currently in the process of developing a policy for this very reason and
I would love to see some examples of what other organizations have done
in this area.

Thanks,
Justin

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of TrueNorth Satellite Communications
Sent: Monday, March 05, 2007 9:43 AM
To: Jason P. Rusch
Cc: security-basics () securityfocus com
Subject: Re: When is a Security patch not a patch?

Exactly.  The sysadmins here seem to think that since I'm the one
identifying (read dreaming up) these vulnerabilities and by extension
the need for a subsequent patch, that I should be responsible for
applying them.  I've been trying to make the case that what we really
need, is a comprehensive "patch management policy" which includes
provisions for out of cycle, i.e. security patches.

Steve Wilson also commented that for security dudes to be doing patches,

it negates any credibility with regard to compliance, or in other words;

" the fox guarding the hen house".

Cheers,
Mark

Jason P. Rusch wrote:
> I seem to have the same issue. Management and more specifically the
> sysadmins seem to believe that since allot of the patches are security
> in nature, that now patch management falls under the responsibility of
> the security administrator. First off coming from the sysadmin ranks I
> would think most admins would prefer to patch their own systems for
may
> reasons I don't think I need to state and second do they really think
we
> have the time or expertise to deal with potential issues related with
> patching some systems.
>
> Starting 2 months ago I indicated to the admins (this was approved my
> management) through a new defined and formal MIS corporate policy,
that
> sysadmins would need to take ownership of the patch management process
> and that I would oversee the program including quarterly vulnerability
> assessments. I even took patch ownership of 1/4 of our servers (30
> servers out of 100).
>
> My situation is also ad-hoc practice as far as patch management goes,
> but what amazes me isn't that fact the admins seem to think its my
> responsibility to patch their systems, but that since I have stopped
> patching the vast majority of them, in most cases the admins not only
> are not patching their servers, but they don't seem to care.
>
> I have never worked with admins that have such a lack of motivation
when
> it comes to patch management.
>
> Basically it bowls down to how much weight MIS management is willing
to
> put behind it.
>
>
>
>
>
> On Thu, 2007-03-01 at 17:22 +0000, solutions () truenorthsatcomm ca
wrote:
> > Greetings,
> > I have a dilemma.  I'm the IT Security dude.  I'm responsible for
filtering incoming security information (CERT announcements, vendor
security patches, real threats, etc.) and doing an impact analysis on
them.
> > Since our organization is very structured i.e. ITIL I then send my
report to our Service Delivery team who is responsible for the hands on
sysadmin.
> > So my dilemma is this.  Management is now rethinking this approach
(since the Service delivery folks are quite busy) and is expecting me to
apply patches.  My argument is that;
> > a) No one person can have the detailed knowledge of all the OS's we
support (basically all OS's) to
> > be able to do this and;
> > b) That a security patch is just another patch, albeit more urgent
than patches applied during the regular patch cycle.
> > To be frank, there is no patch management procedure in  place at all.
Patches are applied in an adhoc "as needed" basis.
> > So what to do? Can anyone offer any insight?
> >
> > Please and Thanks,
> > Mark
------------------------------------------------------------------------
---
> > This list is sponsored by: BigFix
> >
> > If your IT fails, you're out of business - or worse.  Arm your
> > enterprise with BigFix, the single converged IT security and
operations
> > engine. BigFix enables continuous discovery, assessment, remediation,

> > and enforcement for complex and distributed IT environments in
real-time
> > from a single console.
> > Think what's next. Think BigFix.
http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/
ITNext/
> >
------------------------------------------------------------------------
---
> >