< Excel 0day taking pointers from Sensepost | HD Moore and Destiny's Child >
Here's the abstract:
This document aims to provide a complete discussion on vulnerability and patch management. The first chapters look at the trends relating to vulnerabilities, exploits, attacks and patches. These trends describe the drivers of patch and vulnerability management and situate the discussion in the current security climate. The following chapters then aim to present both policy and technical solutions to the problem. The policies described lay out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, managing risk, identifying vulnerability, strategies for reducing downtime and generating metrics to measure progress. Having covered the steps that can be taken by users, a strategy describing how best a vendor should implement a related patch release policy is provided. An argument is made that current monthly patch release schedules are inadequate to allow users to most effectively and timeously mitigate vulnerabilities. The final chapters discuss the technical aspect of automating parts of the policies described. In particular the concept of 'defense in depth' is used to discuss additional strategies for 'buying time' during the patch process. The document then goes on to conclude that in the face of increasing malicious activity and more complex patching, solid frameworks such as those provided in this document are required to ensure an organisation can fully manage the patching process. However, more research is required to fully understand vulnerabilities and exploits. In particular more attention must be paid to threats, as little work as been done to fully understand threat-agent capabilities and activities from a day to day basis.
Here is a brief chapter breakdown:
- Vulnerability and Patch Management - an analysis of vulnerability, malware and threat trends followed up by an analysis of problems with patches.
- Policy Solutions - an in-depth patch management framework for creating an organisational patch management policy.
- Vendor Release Patch Policy - an analysis of how vendors can best manage the risks associated with releasing patches.
- Practical Solutions - an analysis of where technology is needed in patch management and what is currently available.
The thesis is still being examined after which I will submit the final version with corrections. What this means is that if you have any corrections, please send them to me.
The thesis was examined and passed. Irritatingly, one examiner strongly recommended a distinction while the other strongly argued against one (on the basis that the thesis was not scientific enough, but highly practical). At least there was no ambivalence.
UPDATE: added compressed versions.
UPDATE II: added new version with over 32K worth of corrections.
UPDATE III: Updated examination status to passed.
Tracked: Jul 19, 13:08
Tracked: Jan 17, 12:15
Tracked: May 12, 06:12