My apologies to any of you who study the classics for my mangling of the bard's famous line, but I wanted to chip in on the ongoing debate sparked by the recent 0-day vulnerability discovered in Microsoft Internet Explorer and apparently used to recently hack into Google's system.  Both the German and Frenchgovernments urged their citizens to stop using Internet Explorer and switch to another browser.  While the Australian CERT's, AusCERT, reaction was in total contrast and state the calls to move from Internet Explorer were "overblown".  As I write this post Microsoft are releasing the patch for this vulnerability outside of their normal patch cycle.  

Since the Internet Explorer vulnerability came to light, and especially since the French and German governments' recommendations to use another browser instead of Internet Explorer, I have been asked by numerous clients on what they should do.  Now that the patch has come out those same customers are now asking should they roll this patch out now or go through a testing and release cycle to ensure the patch won't cause any adverse damage.

Software patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have system problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Information Security professional to have to make.

This is not the first time that we have been faced with this type of choice and nor will it be the last.  There will be new and serious vulnerabilities discovered in the software that we use so you should have a process in place to help manage that problem.  I recommend the following outline as a basic plan to deal with these type of issues;

• Only you and your organisation understand and know your systems and the risks posed against them.  Therefore before making any decision, you need to conduct a full risk assessment.  Take into account the type of organisation you are and the type of data you hold and also the other mitigation factors that you may have in place already.
• Based on that risk assessment, a concise and factual presentation should be made to senior management within the business with the options to address the issue laid out clearly, together with the potential downside to each solution.
• Whatever solution is decided upon needs to be agreed to and signed off by senior management.
• An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
• Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
• Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
• Communicate clearly with the user population explaining why the patch is being deployed (or not) and to report any unusual behaviour.
• Ensure that all Anti-Virus signatures and software are up to date.
• Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
• Consider how best to deal with remote PCs and laptops that may not be connected to your corporate network.
• Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.
• Ensure that all users are made aware of the threat and that the advice not to click on links or attachments in unexpected emails is reinforced.
• Conduct regular vulnerability assessments against your systems to ensure that you have patched all key devices.

With regards to this latest patch by Microsoft you should take into serious consideration that if Microsoft thinks the risk is so great that it warrants an out of band patch then equally you need to decide how soon, not if, you roll it out to your systems.

Delicious

Digg

Reddit

Facebook

StumbleUpon