Database Security within the General Security Landscape and a Defense-in-Depth Strategy - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

All of these challenges are addressed by patch management tools and pro-

cesses. These tools help you track security alerts and patches, track and man-

age your install base, and navigate the process of applying patches to your

systems. The end result is that you can lower the time during which you are

running your system unpatched (i.e., lower the time in which you are vulner-

able to an attack that may be launched against a known vulnerability).

It is important to note that while these tools are effective, you should set

your expectations in terms of the percentage of vulnerable time they can

reduce, especially in a database environment. When a vulnerability is dis-

covered, there is a time lag until the vendor releases a patch. This is not

instantaneous and can take up to a few months. Then comes the hard

part—applying the patch. You will normally need to test the patch before

applying it to the production environment, and that could take a couple of

weeks. Sometimes you will have to apply multiple patches or even upgrades

because the patch was not released for the specific version you are using.

Finally, you need to schedule downtime on the production environments to

apply the patches, and depending on your organization's process and the

severity of the vulnerability, this too can take time. Therefore, even the

most efficient handling of the patching process and the best supporting

tools do not necessarily mean fast turnaround. Incidentally, such orderly

(and time-consuming) processes do not apply to hackers. This asymmetry

was already mentioned and takes the form of zero-day attacks.

Patch management is considered to be a subset of configuration man-

agement, and a patch management plan needs to be viewed as a coupling

between a configuration management plan and a risk assessment exercise.

Creating a patch management plan without mapping risks can mean

unnecessary work and can compromise availability and quality. A compre-

hensive patch management plan has the following parts, and tools can help

you automate some of these tasks:

1.

Map your assets. You should keep an up-to-date inventory of

your systems and servers, including versions and patch levels that

are installed. This information can be collected manually, but

available tools can help you discover what's deployed on your net-

work.

2.

Classify your assets into criticality buckets such as mission criti-

cal, business critical, and business operational. These classes will

help you prioritize and create time tables.

Search WWH ::

Custom Search

Home