Question

I believe there are two deadly attitudes in cybersecurity: “This is how we have always done it” and “It will never happen to me.” On March 14, 2017, Microsoft issued a critical security bulletin for the MS17‐010. This vulnerability, nicknamed EternalBlue, was an exploit written by the National Security Agency (NSA) and was leaked to the general public by the Shadow Brokers hacker group exactly one month later. EternalBlue exploits a Microsoft SMB vulnerability and, in short, the NSA warned Microsoft about the theft of the exploit allowing the company to prepare a patch. Too many people did not install the patch, and in May of the same year, the WannaCry ransomware virus used the EternalBlue exploit to infect these vulnerable systems. More emergency patches were released by Microsoft. Again, many people did not patch, and in June, NotPetya malware swamped the globe, focusing on the Ukraine in June 2017.

Have you ever watched a horror movie and thought to yourself, “That was your first mistake … that was your second … and third …”? If organizations had been paying attention in March, they would have been fine. If they had paid attention in April, they would have learned how to circumvent the exploit. Again, in May and then again in June, patches could have been run and problem averted. The exploit is still a problem today and has morphed into many variations, targeting the cryptocurrency industry with malware called WannaMine. Cryptojacking is a term we use to define the process where malware silently infects a victim's computer and then uses that machine's resources to run very complex decryption routines that create currency. Monero is a cryptocurrency that can be added to a digital wallet and spent. It sounds fairly harmless, but thinking back to the CIA triad, you are losing your CPU and RAM resources to the malware, and it can spread across your network. If you think of the volumes of processing power and bandwidth it will consume in your organization, you definitely don't want this infection.

The lesson learned is that we must keep our systems up‐to‐date. In your patch management program, you will have to include operating system patches and updates for Microsoft, Apple, and Linux as well as third‐party applications such as Chrome, Firefox, Java, and Adobe Flash. You may have other software or firmware on your network. If you have a system with software, you must have security policy outlining when to patch systems. If you take the risk of not patching, you will leave your systems vulnerable to an attack that is preventable.

The patch management lifecycle will start with an audit where you scan your environment for needed patches. After you know which patches are needed and before you roll out those updates to the entire organization, test those patches on a nonproduction system. If you do not, you take the risk of breaking something with what should have fixed it. If you are able to identify issues before a global production rollout, your operations should not be impacted. Once you know what patches are missing and which patches are viable, install them on the vulnerable system. Most of the time, this is done with Windows Update. Most enterprise‐sized organizations will use some type of patch management software solution.

Focusing on your most vulnerable systems like those running Windows operating systems, as well as highly vulnerable third‐party programs like Adobe Flash, Adobe Reader, and Java, is one of patch management's key concepts. Starting with your most risky yet mission‐critical devices allows you to allocate time and resources where they will be best utilized and will provide the most risk mitigation.

Depending on the size of your organization, how many people you have on your cybersecurity team, the hours they can devote to patch management, and how many systems need to be kept up‐to‐date, you may want to utilize third‐party patch management software. For Microsoft patching specifically, Microsoft includes a tool called Windows Server Update Services (WSUS) with all Windows Server operating systems. WSUS may be sufficient, unless you are using other third‐party applications like Adobe Flash or Java. There are several open‐source tools available, but I have used and like the ease of deploying Desktop Central by ManageEngine.

ManageEngine Desktop Central is web‐based, desktop management software. It can remotely manage and schedule updates for Windows, Mac, and Linux, both in local area networks and across wide area networks. In addition to patch management, software installation, and service pack management, you can also use it to standardize desktops. You can use it to keep your images current and synchronized by applying the same wallpapers, shortcuts, printer settings, and much more.

Desktop Central is free for small businesses and supports one technician across 25 computers and 25 mobile devices. Its professional and enterprise versions make it scalable as your business grows. The free edition still gives you access to all the essential features of the software, and it is easy to set up.

In Lab 12.1 , you'll be installing Desktop Central by ManageEngine.

---

LAB 12.1 : INSTALLING DESKTOP CENTRAL

1. Browse to https://www.manageengine.com . In the upper‐right corner of the screen, open the search field by clicking the magnifying glass. Type Desktop Central . The Download link will be one of your options.
2. Choose the appropriate architecture, either 32 bit or 64 bit. The file should automatically download to the Downloads folder. Before you leave the page, should you need to register for free technical support, you can do that here.
3. Navigate to your Download folder. Find the ManageEngine_DesktopCentral executable and double‐click it.
4. During the install process, you will get a warning to define exceptions for the c:\ManageEngine directory. Antivirus could possibly interfere with database files. Check to make sure your antivirus is turned off during installation.
5. DesktopCentral also uses port 8020 by default for the web server port. If you are using port 8020 for another service or software, you can change it during this process. Keep the rest of the defaults and finish the installation. It will take a few minutes.
6. Once the installation finishes, double‐click the new icon on your desktop to start DesktopCentral. To open the DesktopCentral Client, open your browser to http://localhost:8020 . Figure 12.2 shows the login page.

   

   Figure 12.2 : Log in to DesktopCentral through a browser.

7. On the login page, log in with the default username admin and password admin .

---

The patch management process begins with the installation of an agent. Once the agent is downloaded and installed from the Scope of Management (SOM) page, it will scan the system it is installed on, and you can view the missing patches. At that point, you can either install patches manually or automate and schedule the patching process. As you see in Figure 12.3 , which is a screenshot taken directly from the software, after either of those processes, you will have the ability to run targeted reports and graphs.

Figure 12.3 : Patch management processes in DesktopCentral

In Lab 12.2 , you'll be setting up the SOM, installing an agent, and automating a critical patch.

---

LAB 12.2 : INSTALLING DESKTOP CENTRAL AGENTS

1. Scope refers to the list of computers that are managed and can be limited to a small set of computers or the whole domain. A Windows network is typically based on Active Directory (AD). When you install this software, it automatically will discover all the AD domains and workgroups. Take an inventory of the domains and workgroups in AD so you are able to correlate those with what is autodiscovered in the next step.
2. To view the domains that have been automatically discovered, go to the Admin tab, go to SOM Settings, click Scope Of Management and then open the Computers tab. From here, you can orchestrate the installation of agents to those machines. In Figure 12.4 , the Scope Of Management page is open to the computers listed.

   

   Figure 12.4 : Scope Of Management page in DesktopCentral

3. To download the LAN agent directly from the console, you can use the Download Agent in the upper‐right corner to download the zip. Once you have the file unzipped, double‐click the setup.bat file. In Figure 12.5 , you see your options are to press 1 to install and press 2 to stop. Press 1 to manually walk through the agent install.

   

   Figure 12.5 : Downloading and installing the agent manually to a Windows system

4. Refresh the Computers page, and the system you added the agent to should appear. Navigate to the Home menu and click Patch Management. From here, you are able to see exactly what patches are installed and which ones are missing as well as graphics on system health and missing patches based on severity. Figure 12.6 shows the example Windows machine missing a Java Runtime patch, which happens to fall into the Top 20 Vulnerabilities.

   

   Figure 12.6 : The Dashboard page of Patch Management in Desktop Central

5. On the left side of the console, under the Dashboard icon, click the Patches icon directly underneath. In the list on the right is a breakdown of patches that are needed. You can install, download, or decline a patch as well as see detailed information linked to this patch, including the patch ID and bulletin ID. You can click a link to learn more about the specific patch that is necessary to the health of the system. Figure 12.7 shows the Java vulnerability information and what system is lacking the patch and platform.

   

   Figure 12.7 : Install/Uninstall Windows Patch configuration

6. Click the patch ID of the vulnerability you want to patch and then click Install Patch. In Figure 12.7 , you see the Install/Uninstall Windows Patch page based on the operation type with the scheduler and deployment settings. If you have any critical patch vulnerabilities, check them and deploy immediately. You could also choose to deploy a patch after a specific number of days to make sure it is stable.

   The target machine will get a pop‐up message, stating that the DeskCentral Administrator is applying packages to your machine. The console shifts to the Deployment page where you can watch the current status of the patch move from Yet To Be Applied to In Progress to Succeeded. As shown in Figure 12.8 , you'll get the details of the patch process configuration and execution status as well as summary in graph form.

   

   Figure 12.8 : Deployment execution status for patch management of a Java vulnerability

---

The time between the discovery of a vulnerability and the action an IT administrator should take to protect the environment from that vulnerability should be as short as possible, especially on assets that are mission critical. That philosophy can possibly cause issues where rapid patch management causes a problem with change management and quality assurance testing. It will be a balance evaluating the risk of an unpatched system with the possibly of breaking systems in the process of fixing it. Creating a patch management program where you document your strategy for establishing, documenting, and maintaining the changes is the beginning. The next level in your security maturity model should be configuration management. You must have a hardened baseline.