Security Patch Management - An Overview of the Patching Process and its Challenges in Norwegian Businesses

Cyber-attacks are growing more frequent and sophisticated, and they are impacting businesses of all sizes. This encourages businesses to utilize safe, flaw-free systems, making them less susceptible to cyber-attacks. The issue is that no system is flawless, and a substantial number of security flaws are discovered regularly. To ensure the system's security, patches are distributed and implemented. Patches can be complicated and implementing them in systems can be difficult. This thesis seeks to identify the challenges that make the patching process challenging and to propose potential solutions. This thesis was conducted utilizing a qualitative research strategy and methods such as a systematic literature review, to identify existing patching challenges identified by previous research. We conducted interviews with business professionals who were familiar with the patching procedure and had understanding of cybersecurity. The majority of our interviewees were managers with additional expertise leading patching teams. Prior study indicated various challenges in the field of patching and urged further investigation into the issue of patching. Our findings correlated with the current challenges identified by prior research, and we uncovered important new challenges, such as the fact that patches for major vulnerabilities have a tendency to be released just before a holiday, and that legacy systems are notoriously difficult to patch and are sometimes not patched at all. The significance of planning, organization, and communication in the patching process posed additional challenges. The contribution of this thesis to the patching topic is that we have identified "Planned patch delay" as a patch policy that contributes to a high security posture, provides time for patch planning, and mitigates a number of the challenges that might arise during the patching process. Keywords: Patch, Security patching, Patch challenges, Patch legacy, Patch meetings, Patch policy, Patch prioritization, Patch proces

Security Patch Management - An Overview of the Patching Process and its Challenges in Norwegian Businesses

Cyber-attacks are growing more frequent and sophisticated, and they are impacting businesses of all sizes. This encourages businesses to utilize safe, flaw-free systems, making them less susceptible to cyber-attacks. The issue is that no system is flawless, and a substantial number of security flaws are discovered regularly. To ensure the system's security, patches are distributed and implemented. Patches can be complicated and implementing them in systems can be difficult. This thesis seeks to identify the challenges that make the patching process challenging and to propose potential solutions. This thesis was conducted utilizing a qualitative research strategy and methods such as a systematic literature review, to identify existing patching challenges identified by previous research. We conducted interviews with business professionals who were familiar with the patching procedure and had understanding of cybersecurity. The majority of our interviewees were managers with additional expertise leading patching teams. Prior study indicated various challenges in the field of patching and urged further investigation into the issue of patching. Our findings correlated with the current challenges identified by prior research, and we uncovered important new challenges, such as the fact that patches for major vulnerabilities have a tendency to be released just before a holiday, and that legacy systems are notoriously difficult to patch and are sometimes not patched at all. The significance of planning, organization, and communication in the patching process posed additional challenges. The contribution of this thesis to the patching topic is that we have identified "Planned patch delay" as a patch policy that contributes to a high security posture, provides time for patch planning, and mitigates a number of the challenges that might arise during the patching process. Keywords: Patch, Security patching, Patch challenges, Patch legacy, Patch meetings, Patch policy, Patch prioritization, Patch proces

Software Vulnerabilities: Open Source versus Proprietary Software Security

This study seeks to empirically investigate specific security characteristics of both open source software and proprietary software. Operating system software vulnerability data spanning several years are collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities and patch releases. Open source software is only marginally quicker in releasing patches for reported vulnerabilities. The arguments favoring the inherent security of open source software do not appear to hold up to scrutiny. These findings provide evidence to security managers to focus more on holistic software security management, irrespective of the proprietary-nature of the underlying software

A SECURITY-CENTRIC APPLICATION OF PRECISION TIME PROTOCOL WITHIN ICS/SCADA SYSTEMS

Industrial Control System and Supervisory Control and Data Acquisition (ICS/SCADA) systems are key pieces of larger infrastructure that are responsible for safely operating transportation, industrial operations, and military equipment, among many other applications. ICS/SCADA systems rely on precise timing and clear communication paths between control elements and sensors. Because ICS/SCADA system designs place a premium on timeliness and availability of data, security ended up as an afterthought, stacked on top of existing (insecure) protocols. As precise timing is already resident and inherent in most ICS/SCADA systems, a unique opportunity is presented to leverage existing technology to potentially enhance the security of these systems. This research seeks to evaluate the utility of timing as a mechanism to mitigate certain types of malicious cyber-based operations such as a man-on-the-side (MotS) attack. By building a functioning ICS/SCADA system and communication loop that incorporates precise timing strategies in the reporting and control loop, specifically the precision time protocol (PTP), it was shown that certain kinds of MotS attacks can be mitigated by leveraging precise timing.Navy Cyber Warfare Development Group, Suitland, MDLieutenant, United States NavyApproved for public release. Distribution is unlimited

Configuration Management and Security

Proper configuration management is vital for host and network security. We outline the problems, especially for large-scale environments, and discuss the security aspects of a number of different configuration scenarios, including security appliances (e.g., firewalls), desktop and server computers, and PDAs. We conclude by discussing research challenges

Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios

The composition of vulnerabilities in attack scenarios has been traditionally performed based on detailed pre- and post-conditions. Although very precise, this approach is dependent on human analysis, is time consuming, and not at all scalable. We investigate the NIST National Vulnerability Database (NVD) with three goals: (i) understand the associations among vulnerability attributes related to impact, exploitability, privilege, type of vulnerability and clues derived from plaintext descriptions, (ii) validate our initial composition model which is based on required access and resulting effect, and (iii) investigate the maturity of XML database technology for performing statistical analyses like this directly on the XML data. In this report, we analyse 27,273 vulnerability entries (CVE 1) from the NVD. Using only nominal information, we are able to e.g. identify clusters in the class of vulnerabilities with no privilege which represent 52% of the entries

Digital resilience and financial stability: the quest for policy tools in the financial sector

As a result of the sweeping transition to a digitalised financial system, digital resilience is a fundamental pillar of financial stability. Achieving digital resilience poses a broad range of regulatory challenges, to respond to the complex combination of risks, essentially consisting of cyber (in)security and the concentration of computer resources in the cloud. This article presents the guiding principles of the new regulatory logic needed in the microprudential and macroprudential fields, highlighting its special features and its relationship to the exceptional combination of risks at stake in the area of digital resilience. It also discusses the need for instrumental innovations, such as greater use of circuit breakers, the singular role of cooperation in cybersecurity regulation and the unique challenges raised by the regulatory perimeter of digital resilience.La resiliencia digital constituye un pilar fundamental para la estabilidad financiera ante la radical transición a la digitalización del sistema financiero. La consecución de resiliencia digital plantea retos regulatorios de amplio espectro con los que dar respuesta al complejo combinado de riesgos que conforman, principalmente, la ciber(in)seguridad y la concentración de recursos computacionales en la nube. Este artículo presenta las líneas maestras de la nueva lógica regulatoria precisa en los ámbitos micro- y macroprudencial, destaca sus rasgos singulares y la relación de estos con el atípico combinado de riesgos en juego en el ámbito de la resiliencia digital. En concreto, el artículo versa sobre la necesidad de innovaciones instrumentales como un mayor recurso a circuit breakers, sobre el singular papel de la cooperación en la regulación para la ciberseguridad y sobre los retos únicos que plantea el perímetro regulatorio de la resiliencia digital

A Highly-Available Multiple Region Multi-access Edge Computing Platform with Traffic Failover

One of the main challenges in the Multi-access Edge Computing (MEC) is steering traffic from clients to the nearest MEC instances. If the nearest MEC fails, a failover mechanism should provide mitigation by steering the traffic to the next nearest MEC. There are two conventional approaches to solve this problem, i.e., GeoDNS and Internet Protocol (IP) anycast. GeoDNS is not failover friendly because of the Domain Name System (DNS) cache lifetime. Moreover, the use of a recursive resolver may inaccurately translate the IP address to its geolocation. Thus, this thesis studies and proposes a highly available MEC platform leveraging IP anycast. We built a proof-of-concept using Kubernetes, MetalLB, and a custom health-checker running on the GNS3 network emulator. We measured latency, failure percentage, and Mean Time To Repair (MTTR) to observe the system's behavior. The performance evaluation of the proposed solution shows an average recovery time better than one second. The number of failed requests and latency overhead grows linearly as the failover time and latency between two MECs increases. This thesis demonstrates the effectiveness of IP anycast for MEC applications to steer the traffic to the nearest MEC instance and to enhance resiliency with minor overhead