Matt Lipford, Managed Services Engineer
If you have been following these newsletters for some time, it is likely you are familiar with the various means Safe Systems employs to help your financial institution stay under the radar of your auditor/examiner. These mechanisms include Patch Management, CAPS (Critical Application Patching Service), and our Server Baseline Services (Server Hardening), to name a few.
I wanted to spend some time discussing our Server Baseline Services (SBS), specifically, how it has evolved, how it has been complemented by our other services, and our vision for the future of SBS.
For those not familiar with the term, I’ll start with a brief exposition on the process of SBS. Each month we aggregate vulnerability data from multiple depositories, one of the larger data points are all the CoreDefense reports from our Gladiator clients. From the aggregated information we correlate and trend frequency. We use this data as a roadmap to address the most frequent vulnerabilities each month.
Our process starts when a specific vulnerability exists on a critical mass of endpoints. We begin by investigating what options exist to resolve the issue. These resolutions can take multiple forms, including uninstalling a piece of software, updating that software, replacing a specific file, altering permissions, adjusting the registry, or any combination thereof. Available responses can vary greatly depending on the context of the vulnerability. In essence, SBS is an effort to script vulnerability remediation and to cover the gaps between the coverage scopes of Patch Management and CAPS. This scripted change is then comprehensively tested before being added to a master repository of such vulnerability resolutions. The same set of vulnerability-fixing scripts is then run across all SBS-protected machines.
In the service’s infancy, those of us working with SBS scripting sifted through relatively high numbers of occurrences for more common vulnerabilities; however, we have whittled this down and currently deal with much lower occurrence numbers. In large part this is due to CAPS as it directly addresses many of the vulnerabilities we previously had to manually script. Another large contributor to this progress is the cumulative nature of SBS, and we expect the number of occurrences of specific vulnerabilities to continue to decrease over time. Vulnerability data over time has proven this to be the case and we have made tremendous progress in drastically reducing the occurrence of most high level vulnerabilities. This allows for us to focus on new vulnerabilities as they are identified by the security community.
Recently, we noticed something that, upon investigation, revealed some unanticipated benefits of SBS. We found that with some vulnerabilities there can be numerous KB numbers corresponding to instances of that vulnerability, but on different Operating Systems and affecting various programs. In some instances not all of these patches were considered eligible in NetComply’s patching system. Further, we also found that these patches do NOT show as missing on the “affected” machines via Windows Update. This indicates that the Windows Update API itself does not recognize these patches. Depending on how an auditor or examiner checks for missing patches this could easily fly under the radar, but it bears mentioning that these patches do correspond to actual security vulnerabilities. We plan to script the installation of such patches to cover any gaps in security posture caused by their omission from patching systems.
In SBS this month we will be addressing a handful of these sorts of patches, and in doing so, we are effectively extending the security coverage for our clients beyond even what Windows Update can currently accommodate. Ultimately, this example is a testament to the value of a multi-tiered approach to vulnerability remediation for your financial institution’s security compliance.
Long term, we expect to begin looking at medium-level vulnerabilities to bolster the ever-increasing effectiveness of SBS from month-to-month. Our goal with SBS has always been to provide a mechanism of adaptation in an ever changing security environment. It is one more way that we strive to improve the quality of service we bring to our clients.