To Patch or Not to Patch Answering the CPU Question

2020-02-27 55浏览

  • 1.
  • 2.CON6302:To Patch or Not to Patch Answering the CPU Question Bruce Lowenthal Senior Director Oracle Security Alerts Group Juan Perez-Etchegoyen CTO Onapsis Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
  • 3.Timeline of a 2017 Compromise • Timeline of a 2017 compromise –March:Struts 2 CVSS 10 fix released for CVE-2017-5638 – Mid May-Julyend:Equifax hacked, 143 Million Americans compromised –September:Public Announcement, CEO called to testify before Congress, CIO and CSO retire – Equifax criticized for not applying fixes quickly enough • How does one determine how quickly Oracle fixes should be applied? – Should special care be given to mission-critical applications? Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 3
  • 4.Business-Critical Applications Why should we care about securing these applications? Business-Critical Applications store and process the most critical business information in the Organization. If these applications are breached, an intruder would be able to perform different attacks suchas:•ESPIONAGE:Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. •SABOTAGE:Paralyze the operation of the organization by shutting down the system, disrupting interfaces with other systems and deleting critical information, etc. •FRAUD:Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 4
  • 5.Business-Critical Applications What defines them? • Big deployments with multiple servers • Proprietary components and protocols • Heavily integrated applications • Strong customizations layer • Complex configurations • Critical business processes • Strict change management processes • Typically running on-premise Someexamples:• Oracle E-Business Suite • Oracle JD Edwards • Oracle Peoplesoft • Oracle Fusion Applications Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 5
  • 6.Business-Critical Applications Why are these applications different? • Proprietary protocols and components – JDENET, PeopleTools, T3, Oracle Forms, NodeManager… • Strong customization layer – E1JETDev, OMW (Oracle Management Workbench), OAF (Oracle Applications Framework), Siebel Query Language, Oracle ADF/JSF (Fusion) • Heavily integrated applications –EBS:Oracle Open interface, Concurrent Program, Java™ Service, XML Gateway, PL/SQL API –JDE:Z Tables, Business Interfaces, JDENET –Fusion:Oracle Enterprise Repository (ADF Services, SOA, Business Events) Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 6
  • 7.Business-Critical Applications Traditional Approach to securing them Traditional Security model is still applied to business-critical applications • Auditors rely mostlyon:o Segregation of Duties o Roles / Role to User Assignment / Approval Process o Emergency Access o Default accounts o Change Management Process o Governance, Risk and Compliance (GRC) tools AUDITGAP:Not Patching Business Critical Applications might introduce multiple risks to the most important asset in the organization • All of the above items are necessary, but only address some insider threats. BUT what about Outsiders, Rogue Employees, Malware, State Sponsored Hacks? Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 7
  • 8.Business-Critical Applications Research contribution • The research community plays an important role in the security of these applications • Over the last few years Onapsis collaborated with Oracle on helping secure Oracle E-Business Suite Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 8
  • 9.Building the Patching Process Five steps, recurrent process ●Patches released ●Analysis ●Prioritization ●Patching ●Testing Patch Released Analyze Testing Set Priority Patching Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
  • 10.Keeping up with Oracle’s periodic release of CPU • Defining what patches are applicable to your organization • Defining which versions are vulnerable to the released patches • Prioritizing patches based on Security or Compliance Mandates • Defining system downtime while applying patches • Checking for confirmation of proper implementation of patches • Aligning patch management with internal security patch SLAs Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
  • 11.Building the Governance Program Understand your risks in business-critical Applications Identify business-critical systems Create Governance team Vulnerability management & compensating controls Generate Reports & Trends Creating an internal program helps bridge departments within the company and align them to the common goal of Oracle Cybersecurity while also achieving compliance Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
  • 12.Bridging the teams • Define the internal teams in your organization that should be involved • Determine what Oracle security means to your organization • How mature do you want your security process to be • Bridge communication between internal teams to form a common goal • Begin Governance Program based on the security goals of the company, defined for business-critical applications • Set reoccurring check-ins to confirm Program is on track and meeting the demands of each internal team InvolvedDepartments:Information Security & CISOs Internal Audit Teams Apps DBA Teams Oracle Security Teams CIOs and LOB owners Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 12
  • 13.Risk Analysis for Your Organization • Analysis of Critical Patch Update and Security Alerts risk matrices – Is the Oracle product attackable in my installation? – Are the installed version and components vulnerable? – What is the impact of a successful exploit? – How many potential attackers are there? – How difficult is the attack? – Is this vulnerability directly attackable or is the fix “security-in-depth” only? • Keypoint:You must review the Risk Matrix factors Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 13
  • 14.Oracle Security Advisories and Urgency of Patch Application • Is the Oracle product attackable in my installation? – If the product is not used, it may still be installed (e.g. by default) and be vulnerable • Are the installed version and components vulnerable? – Are the vulnerable versions installed? – Are the vulnerable components installed? Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 14
  • 15.Oracle Security Alerts • If the Oracle product version and component are installed and vulnerable AND if this is an Oracle Security Alert – Install immediately – Oracle only issues about two Security Alerts per year for over 1,000 products – Oracle Security Alerts are only issued for very serious vulnerabilities – Typically Security Alerts are issued when successful ongoing attacks are occurring or Oracle believes such attacks will be initiated very shortly Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 15
  • 16.Impact of Successful Exploits • What is the impact of a successful exploit? –Confidentiality:Unauthorized reading of data –Integrity:Unauthorized modification, deletion or creation of data –Availability:Unauthorized denial of access –Values:• ‘None’, ‘Low’ (partial compromise), ‘High’ (full compromise or partial with direct, serious threat) – All three ‘High’: Application takeover, Remote Code Execution –Scope:Containing component compromised (e.g. App Server or Op System) Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 16
  • 17.Attack Vector • Attack Vector –Values:‘Network’, ‘Adjacent Network’ (same LAN Segment), ‘Physical’ – Value ‘Local’: • Need logon to containing infrastructure (e.g. OS Logon) • Usually this means possible exploiters are limited to very few • If local logons are restricted to trusted people, Oracle fix would be considered “security in depth” Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 17
  • 18.Privileges Required • Privs Required –Values:‘None’, ‘Low’, ‘High’ – ‘Low’ versus ‘High’: Do privileges allow one to directly affect others? Yes=High • If High and only trusted have High, Oracle fix might be considered “security in depth” • Need logon to containing infrastructure (e.g. OS Logon) • Usually this means possible exploiters are limited to very few – If None and Network anyone with IP access can exploit Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle OpenWorld 2017 18
  • 19.Attack Complexity, User Interaction • Attack Complexity –Values:'>Values: