Teach you to build a personal invincible system strategy

The common feature of worm viruses such as Slammer, Sobig and Blaster is to attack system vulnerabilities, resulting in large-scale network outages. Although patches to block them have been available before these outbreaks, they are still not effective in curbing the spread of the virus, mainly because of a weak repair system.

The repair system is difficult, for two reasons: first, from the disclosure of security vulnerabilities to hackers using vulnerabilities to launch attacks, the time interval is getting shorter, users do not have enough time to repair the system; The second is that a large number of clients become the target and accomplice of virus attacks, so that the virus spreads more widely and In addition to Windows, routers, switches, firewalls, UNIX, and Linux are also targets of virus attacks. Experts believe that the repair system is a long-term project, people need to prepare for long-term combat.

　　Preparation before patching

Nicastro, a senior system consultant at International Network Services, believes the patch system is a control process that many users ignore, without persistent monitoring, assessment, testing, deployment, and validation of patches. At the same time, patching the system is not a person can do, but needs the security team, operations team and developers to work together.

The disorderly expansion of the network is the biggest enemy of network security. Users must grasp the current situation of network assets, set up a list of network assets, understand the changes in network assets, carefully organize the records, calculate the repair costs and establish a priority repair plan. The above link lacks any one link, the system patching work is difficult to carry on.

Drawing up an asset list is figuring out what the machine is running, requiring a lot of work from the user. It often takes a while to prepare a list of assets. Asset inventory is closely linked to asset management and configuration management and requires a dedicated person. Patching a system is a physical process, people must use an effective organizational structure to ensure the implementation of this process, the establishment of a security Incident response team is the best way. The security Incident Response Team can manage system vulnerabilities in an organized manner, respond quickly to each vulnerability, and look up the location of a security vulnerability against each device in the asset list and update the asset list weekly.

　　How to fix

The process of patching the system can be summarized in four steps: Closely tracking the changes of the vulnerabilities, testing the patches repeatedly, deploying patches from point to face distribution, verifying that the patched devices are complete and functioning properly.

The process of patching the system starts with monitoring security vulnerabilities and finding patches for devices in the asset list. Once a security vulnerability is identified as a threat, the security team should begin testing the patch immediately. If a user lacks the funding to establish an experimental environment, the user should at least try to simulate the environment of a critical business system. After the patch is tested, the user needs to complete the patch distribution, deployment, exception handling, tracking, reporting, and so on. Patching systems are similar to fire extinguishing, where users should isolate worms or viruses on the network segment before initiating the patching process.

Rackspace's CTO, Mr. Engates, believes that patching routers and firewalls are very similar to the version of the upgrade software. The company is staffed by a network engineer to track vulnerabilities in firewalls and routers. After a patch is identified, the engineer notifies the IT director that if the patch is used to fix a critical flaw, the information is sent directly to the VP in charge of the project and the vice President organizes the patching system personally. The patch is tested in a Rackspace company's lab, which has a scaled corporate network model. The test time depends on the size of the patch. Patches are deployed in a pre-arranged maintenance window, and the security team assesses the patching process.

Engates that patching a server is slightly different from patching a firewall. Linux is a unique platform, rackspace companies do not have formal Linux configuration management tools, more need to rely on manual operation. Fortunately, Linux is less likely to have problems than Windows. When Engates determines that a security vulnerability exists on the Windows Server, perform a process similar to a patched firewall immediately, and the patch test takes at least 48 hours to ensure that no problems occur. If a problem occurs, engates suspends the deployment of patches and asks Microsoft for technical support, although the service is fee-based, but Engates believes it is important to maintain a close relationship with Microsoft.

　　Patching a client

Fixing the patch scope is a challenge for many users. In the past four months, the attack was no longer limited to the server, but to the client. Patching a client before is a cyclical natural upgrade, and now it is no longer valid.

The worm travels very quickly, and people often don't have time to shut down the client's network port. At the beginning of the Blaster attack, Microsoft recommended shutting down port 135 to stop the worm from spreading, but Pitney Bowes, the security manager for the company, said shutting down the port was actually a denial-of-service attack. At present, Pitney Bowes Company began to extend the process of automating patch servers to clients. Following the outbreak of the Blaster, Pitney Bowes deployed BigFix Management software, which could fully observe Pitney Bowes's wide area network across 18 countries. If someone shuts down antivirus software on the desktop, BigFix restarts the antivirus software, and BigFix installs it automatically if the client does not have antivirus software installed.

　　"Five must" and "four not" for patching systems

A patch management team must be established to track changes in system vulnerabilities.

The process of evaluating, testing, and deploying patches must be established.

You must select a set of tool software that supports patch management.

The process of verifying the effect of a patch operation must be developed.

You must isolate the hazard or worm first in the event of an emergency.

Do not start patching without creating an asset list.

Do not assume that a patch management tool can solve all problems.

Do not postpone deployment that has been identified as a very important patch.

Do not assume that attacks originate from the outside but not from within, and that the attacks by infected internal clients are virtually universal