Creating a Patch and Vulnerability Management Program: Recommendations of the National Institute of Standards and Technology (NIST)

ISBN-10
1469909642
ISBN-13
9781469909646
Category
Technology & Engineering
Pages
76
Language
English
Published
2005-11-30
Authors
Peter Mell, Tiffany David Henning Bergeron

Description

Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after an exploitation has occurred. Patches are additional pieces of code developed to address problems (commonly called "bugs") in software. Patches enable additional functionality or address security flaws within a program. Vulnerabilities are flaws that can be exploited by a malicious entity to gain greater access or privileges than it is authorized to have on a computer system. Not all vulnerabilities have related patches; thus, system administrators must not only be aware of applicable vulnerabilities and available patches, but also other methods of remediation (e.g., device or network configuration changes, employee training) that limit the exposure of systems to vulnerabilities. This document provides guidance on creating a security patch and vulnerability management program and testing the effectiveness of that program. The primary audience is security managers who are responsible for designing and implementing the program. However, this document also contains information useful to system administrators and operations personnel who are responsible for applying patches and deploying solutions (i.e., information related to testing patches and enterprise patching software). Timely patching of security issues is generally recognized as critical to maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is one of the most common issues identified by security and IT professionals. New patches are released daily, and it is often difficult for even experienced system administrators to keep abreast of all the new patches and ensure proper deployment in a timely manner. Most major attacks in the past few years have targeted known vulnerabilities for which patches existed before the outbreaks. Indeed, the moment a patch is released, attackers make a concerted effort to reverse engineer the patch swiftly (measured in days or even hours), identify the vulnerability, and develop and release exploit code. Thus, the time immediately after the release of a patch is ironically a particularly vulnerable moment for most organizations due to the time lag in obtaining, testing, and deploying a patch. To help address this growing problem, it is recommended that all organizations have a systematic, accountable, and documented process for managing exposure to vulnerabilities through the timely deployment of patches. This document describes the principles and methodologies organizations can use to accomplish this. Organizations should be aware that applying patches and mitigating vulnerabilities is not a straightforward process, even in organizations that utilize a formal patch and vulnerability management process. To help with the operational issues related to patch application, this document covers areas such as prioritizing, obtaining, testing, and applying patches. It also discusses testing the effectiveness of the patching program and suggests a variety of metrics for that purpose. NIST recommends that Federal agencies implement the following recommendations to assist in patch and vulnerability management. Personnel responsible for these duties should read the corresponding sections of the document to ensure they have an adequate understanding of important related issues.

Get the book

Amazon.com
Amazon.com
Search the book
eBay.com
eBay.com
Search the book

Similar books

  • Animal Sciences: The Biology, Care, and Production of Domestic Animals, Fourth Edition
    Animal Sciences: The Biology, Care, and Production of Domestic Animals, Fourth Edition
    By John R. Campbell, M. Douglas Kenealy, Karen L. Campbell

    Timberlake claimed in 1980 that a fundamental problem with Singer's work is the lack of an adequate definition of suffering ...

  • Resilient Agriculture: Cultivating Food Systems for a Changing Climate
    Resilient Agriculture: Cultivating Food Systems for a Changing Climate
    By Laura Lengnick

    3. D. Layne. 2013. Tree Fruit: Protecting Your Investment. American/Western Fruit Grower, September/October. 4. R. Snyder and J. Melu-Abreu. 2005. Frost ...

  • Biodesign: The Process of Innovating Medical Technologies
    Biodesign: The Process of Innovating Medical Technologies
    By Stefanos Zenios, Josh Makower, Paul Yock

    At that time, these were in the low $10s of millions. ... be a good partner going forward, even though it takes longer to get the deal done," offered Chess.

  • Advanced Signal Processing: A Concise Guide
    Advanced Signal Processing: A Concise Guide
    By Amir-Homayoon Najmi, Todd Moon

    [ 59 ] S. Kotz , T. J. Kozubowski , and K. Podgorski , The Laplace ... valued signal processing : The proper way to deal with impropriety , ” IEEE Trans .

  • Resources for Technical Communication
    Resources for Technical Communication
    By Pearson Education, Pearson Education Staff, David P Pearson Education

    Some documents are annotated; some are left without annotations to provide more flexibility for instructors. This booklet can be packaged at no additional cost with any Longman title in technical communication.

  • Chemistry: An Introduction to General, Organic, and Biological Chemistry; Chemistry Study Pack Version 2.0 CD-ROM; The Chemistry of Life CD-ROM;...
    Chemistry: An Introduction to General, Organic, and Biological Chemistry; Chemistry Study Pack Version 2.0 CD-ROM; The Chemistry of Life CD-ROM;...
    By Karen C. Timberlake

    Chemistry: An Introduction to General, Organic, and Biological Chemistry; Chemistry Study Pack Version 2.0 CD-ROM; The Chemistry of Life CD-ROM;...

  • Poultry Science: Fifth Edition
    Poultry Science: Fifth Edition
    By Colin G. Scanes, Karen D. Christensen

    The emission rates for ammonia (Casey et al., 2006): • Layers: 116 g NH3 per AU (AU or animal unit or 500 kg). • Broilers: 135 g NH3 per AU (AU or animal unit or 500 kg). Emission rates in different reports vary from less than either 10 ...

  • Solid State Materials Chemistry
    Solid State Materials Chemistry
    By Patrick M. Woodward, Pavel Karen, John S. O. Evans

    [45] B.F. Hoskins, R. Robson, “Design and construction of a new class of scaffolding-like materials comprising infinite polymeric frameworks of 3D-linked molecular rods. A reappraisal of the zinc cyanide and cadmium cyanide structures ...

  • Abbreviations Dictionary
    Abbreviations Dictionary
    By Dean A. Stahl, Karen Landen

    ... Tallest Mountain Mount Robson—12,972 feet or 3,954 meters—in the Canadian Rockies Canada's Westernmost City Dawson, Yukon Canada's Westernmost Point in Yukon Territory just east of Alaska's Demarcation Point Canary Islands' Largest ...

  • Agriculture: A Very Short Introduction
    Agriculture: A Very Short Introduction
    By Paul Brassley, Richard Soffe

    ACCOUNTING Christopher Nobes ADVERTISING Winston Fletcher AFRICAN AMERICAN RELIGION Eddie S. Glaude Jr AFRICAN HISTORY ... Hugh Bowden ALGEBRA Peter M. Higgins AMERICAN HISTORY Paul S. Boyer AMERICAN IMMIGRATION David A. Gerber AMERICAN ...