var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', '']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + ''; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Saturday, November 5, 2011

Sweet Spot - Patch Applications

Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators become better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment?

Every application that is installed must be continually inventoried and promptly updated. An example of this is found in the software inventory report in the Kaspersky Anti Virus tool. This report lists each software package and version where this software agent is installed. Configuration for this option can be found in the Administration Server at Reports and Notifications and then Server Applications. This report can be automatically generated and emailed on a daily basis.  Become familiar with how the report looks so that any deviation is immediately noticeable.

Qualys BrowserCheck can be used to identify web browsers and associated plug-ins that need to be updated. The free Business Edition generates a unique address that if used by all computers in the company, will generate aggregate reports of all devices that have used this website. Consider setting this as the home page of users and encourage them to regularly update their browsers both at work and at home.

Microsoft System Center Configuration Manager (SCCM), formerly known as Systems Management Server (SMS) as well as Dell Kace KBox provide built –in capabilities to inventory each software package. Of particular value are the software versions that are installed on all systems. This list can be compared to the current versions available.

The free Splunk application for Linux named, Splunk *NIX, includes a standard report package named Latest Packages by Host that can also be automated and emailed daily. This detailed information can be found within the Splunk application at Configs --> OS Packages --> Latest Packages by Host.
Windows includes a fascinating tool, Windows Management Instrumentation Command-line (WMIC) that allows the administrator to determine up to date information on a given Windows system. The WMIC command to list the software installed on Microsoft Windows is discussed at Command Line Kung Fu Blog.

The psexec tool from Microsoft can be used to perform a software inventory, particularly for applications that do not use the standard windows installer. An example of this is to create the batch file on the C drive named baseline.bat and invoke it weekly with scheduled tasks. This command will use psexec to look for all executables and send the output to a file named ExeFound.txt. The following example can be saved as a batch file and regularly scheduled to run on Windows systems.

@echo off
psexec dir *.exe > %computername%_ExeFound.txt

On Linux systems, the application md5sum is typically installed and can be used to create md5 checksums on the contents of a folder and write the results to a file. Md5sum can then be used to compare the current checksums to those stored in the previously generated file. If any files have been changed since the last baseline, it will be noted in the exception report. 

Perfecting and adding this information to an automated baseline script is an excellent way to periodically list the packages installed on a given system. This script, when distributed to all systems can be invaluable in determining changes to your servers and workstations.

Include the Microsoft Malicious Software Removal Tool (MSRT) in the packages distributed by Microsoft Windows Server Update Services (WSUS). The free MSRT tool is deployed monthly and is useful to eliminate known and disruptive malware.

The output from these tools offer concise reports that are good candidates to send to system administrators. It will help them become involved in securing the network as they begin to gain understanding of what software should be installed and learning from you the proper response when unexpected or outdated software is found.