How neglecting the security aspect

of patch management is just asking

for trouble!

Waqas Mahmood

Solution Specialist, Security Engineer wmahmood@secunia.com

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 2

Revisiting DOE Breach and its impact

Financial & Non Financial impacts of a security breach

The Challenge

Patch management with a vulnerability management approach

Complete Patch Management

VI+VS+PC+PD = Complete PM

Security policy and baseline

Risk Assessment and Prioritization

Remediation or mitigation

How to Improve

QA

Agenda

Reasons not to neglect patch

management

Causes and consequences

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 4

The U.S. Department of Energy data

breach, July 2013

“Our review identified a number of technical and

management issues that contributed to an environment in

which this breach was possible.”

- DoE

Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013

http://energy.gov/ig/downloads/special-report-ig-0900

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 5

May 2011 – First incident with no loss of Personal

Identifiable Information (PII)

January 2012 – Second incident with no loss of PII

July 2013 – Third incident leading to the breach of

104,000 PII records

History

Vector: software vulnerability! “The Department had not taken appropriate action to

remediate known vulnerabilities on its systems either

through patching, system enhancements or upgrades.”

Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013

http://energy.gov/ig/downloads/special-report-ig-0900

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 6

Data exposed

104,000 records with personally identifiable information

(PII) of past and present employees, family members and

contractors were exposed, including:

• Names

• Birth dates and places of birth

• Social Security numbers

• Education

• Bank account numbers

• Information about disabilities

• Security questions and answers

Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013

http://energy.gov/ig/downloads/special-report-ig-0900

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 7

$1.6 million for credit monitoring and labor costs

$2.1million in lost productivity related to employees being released to take

corrective actions associated with the data exposed by the breach

Non-calculated costs associated with recovery and lost productivity – funds

that could have been used to support the Department’s core mission

Damage to the Department’s reputation

Loss of employee confidence

Financial and non-financial impact

Source: “Special Report – Department of Energy’s July 2013 Cyber Security Breach”, DOE/IG0900, December 2013

http://energy.gov/ig/downloads/special-report-ig-0900

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 8

Average financial losses associated with security incidents is up by 18% in 2013

compared to 2012

Number of cases with losses above $10 million up by 51% since 2011

The average cost to remediate a security incident is $531 (per incident).

Organizations considered to be leaders in security strategy report an average

cost of $421 (per incident)

We cannot ignore the costs associated with security incidents

“the cost of remediation is rising

because more records across more jurisdictions are

being impacted, and security controls have not kept

pace with the ever-changing threat landscape.” PWC

Source: “Defending Yesterday – The Global State of Information Security Survey 2014”, PWC, CIO magazine, CSO magazine, 2013

http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 9

Did your organization suffer a security breach in the past 12 months?

Yes

No

I don’t know

Question 1

Improving the foundation of your

security

Implementing basic controls

How neglecting the security aspect of patch management

is just asking for trouble! 23-06-2014 11

“97% of breaches could have been avoided through simple or

intermediate controls.”

Good security starts with the basics The importance of having a secure foundation

Verizon, 2012 Data Breach Investigations Report, (March 2012),

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

How neglecting the security aspect of patch management

is just asking for trouble! 12

Waqas Mahmood

Solution Specialist, Security Engineer

wmahmood@secunia.com

Watch the entire webinar here:

Neglecting the security aspect of patch

management is just asking for trouble!