1
00:00:00,180 --> 00:00:01,800
In this lesson, we're going to discuss

2
00:00:01,800 --> 00:00:04,770
a network hardening technique known as patch management.

3
00:00:04,770 --> 00:00:07,110
So what exactly is patch management?

4
00:00:07,110 --> 00:00:09,780
Well, patch management is the planning, testing,

5
00:00:09,780 --> 00:00:12,540
implementing and auditing of software patches.

6
00:00:12,540 --> 00:00:15,210
Patch management is critical to the providing the security

7
00:00:15,210 --> 00:00:17,430
and increasing uptime inside your network,

8
00:00:17,430 --> 00:00:18,720
as well as ensuring compliance

9
00:00:18,720 --> 00:00:20,970
and improving features in your network devices,

10
00:00:20,970 --> 00:00:22,920
your servers, and your clients.

11
00:00:22,920 --> 00:00:24,570
Now, patch management is going to increase

12
00:00:24,570 --> 00:00:25,890
the security of your network

13
00:00:25,890 --> 00:00:27,480
by fixing known vulnerabilities

14
00:00:27,480 --> 00:00:29,130
inside of your network devices,

15
00:00:29,130 --> 00:00:30,780
things like your servers, your clients,

16
00:00:30,780 --> 00:00:32,580
and your routers and switches.

17
00:00:32,580 --> 00:00:34,560
Now in terms of our servers and clients,

18
00:00:34,560 --> 00:00:35,850
patch management is going to be conducted

19
00:00:35,850 --> 00:00:38,370
by installing software and operating system patches

20
00:00:38,370 --> 00:00:41,190
in order to fix bugs in the system software.

21
00:00:41,190 --> 00:00:42,660
Patch management can also increase

22
00:00:42,660 --> 00:00:44,010
the uptime of your systems

23
00:00:44,010 --> 00:00:46,530
by ensuring your devices and software are up-to-date

24
00:00:46,530 --> 00:00:48,930
and they don't suffer from resource exhaustion

25
00:00:48,930 --> 00:00:52,020
or crashes due to vulnerabilities within their code.

26
00:00:52,020 --> 00:00:53,310
Patch management is also used

27
00:00:53,310 --> 00:00:55,140
to support your compliance efforts.

28
00:00:55,140 --> 00:00:56,640
One of the biggest things that's looked at

29
00:00:56,640 --> 00:00:58,020
within a compliance assessment

30
00:00:58,020 --> 00:00:59,760
is how well your patch management program

31
00:00:59,760 --> 00:01:01,950
is being run and being conducted.

32
00:01:01,950 --> 00:01:04,019
This way you can ensure it's effective

33
00:01:04,019 --> 00:01:05,760
and making sure your systems are up-to-date

34
00:01:05,760 --> 00:01:08,040
and patched against all known vulnerabilities,

35
00:01:08,040 --> 00:01:11,070
such as CVEs or common vulnerabilities and exposures

36
00:01:11,070 --> 00:01:13,440
that have patches associated with those.

37
00:01:13,440 --> 00:01:15,390
Now, patch management is also going to be used

38
00:01:15,390 --> 00:01:16,830
to provide improvements and upgrades

39
00:01:16,830 --> 00:01:18,900
to your existing feature set as well.

40
00:01:18,900 --> 00:01:21,360
Many of your patches don't just fix things

41
00:01:21,360 --> 00:01:23,160
or existing problems inside of them,

42
00:01:23,160 --> 00:01:24,960
but they can also add other things

43
00:01:24,960 --> 00:01:26,490
like features and functionality

44
00:01:26,490 --> 00:01:28,260
when you do those upgrades.

45
00:01:28,260 --> 00:01:29,130
By ensuring that you're running

46
00:01:29,130 --> 00:01:30,600
the latest version of the software

47
00:01:30,600 --> 00:01:31,950
and that it's fully patched,

48
00:01:31,950 --> 00:01:33,780
you can ensure you have the best feature set

49
00:01:33,780 --> 00:01:35,670
with the highest security available.

50
00:01:35,670 --> 00:01:37,710
Now, as you can imagine, there are a lot

51
00:01:37,710 --> 00:01:39,060
of different patches out there

52
00:01:39,060 --> 00:01:40,350
because each manufacturer

53
00:01:40,350 --> 00:01:42,000
is going to create their own patches

54
00:01:42,000 --> 00:01:44,760
for their specific applications and software.

55
00:01:44,760 --> 00:01:47,490
Part of your job inside of the patch management process

56
00:01:47,490 --> 00:01:49,590
is keeping track of all the various updates

57
00:01:49,590 --> 00:01:51,060
and ensuring they're getting installed properly

58
00:01:51,060 --> 00:01:52,920
throughout all of your network devices.

59
00:01:52,920 --> 00:01:55,530
This includes your switches, your routers, your firewalls,

60
00:01:55,530 --> 00:01:57,570
and your servers and clients.

61
00:01:57,570 --> 00:01:59,250
Patch management is not just concerned

62
00:01:59,250 --> 00:02:01,200
with ensuring that a patch is installed though,

63
00:02:01,200 --> 00:02:02,760
it's also important to ensure

64
00:02:02,760 --> 00:02:04,290
it doesn't create new problems for you

65
00:02:04,290 --> 00:02:06,090
when you do that installation.

66
00:02:06,090 --> 00:02:08,940
After all, patches themself can have bugs in them too,

67
00:02:08,940 --> 00:02:10,919
just like any other software can.

68
00:02:10,919 --> 00:02:12,750
Therefore, it's really important for you

69
00:02:12,750 --> 00:02:14,490
to effectively conduct patch management

70
00:02:14,490 --> 00:02:16,710
by following four critical steps.

71
00:02:16,710 --> 00:02:18,270
First, planning,

72
00:02:18,270 --> 00:02:19,860
second, testing,

73
00:02:19,860 --> 00:02:21,300
third, implementing,

74
00:02:21,300 --> 00:02:22,860
and fourth, auditing.

75
00:02:22,860 --> 00:02:24,540
Step one is planning.

76
00:02:24,540 --> 00:02:26,130
Planning consists of creating policies,

77
00:02:26,130 --> 00:02:27,390
procedures, and systems

78
00:02:27,390 --> 00:02:29,730
to track the availability of patches and updates,

79
00:02:29,730 --> 00:02:31,470
and having a method to verify

80
00:02:31,470 --> 00:02:33,750
that they're compatible with your systems.

81
00:02:33,750 --> 00:02:36,060
Planning is also used to determine how you're going to test

82
00:02:36,060 --> 00:02:37,800
and deploy each of those patches.

83
00:02:37,800 --> 00:02:39,570
A good patch management tool can tell you

84
00:02:39,570 --> 00:02:41,970
whether or not the patches have been deployed, installed,

85
00:02:41,970 --> 00:02:45,210
and verified functionally on a given system or client.

86
00:02:45,210 --> 00:02:47,580
For example, in large enterprise networks,

87
00:02:47,580 --> 00:02:48,413
you may use

88
00:02:48,413 --> 00:02:50,580
the Microsoft Systems Center Configuration Manager,

89
00:02:50,580 --> 00:02:52,110
known as SCCM,

90
00:02:52,110 --> 00:02:54,000
or you can buy a third party tool

91
00:02:54,000 --> 00:02:55,770
to conduct your patch management.

92
00:02:55,770 --> 00:02:57,600
Step two, testing.

93
00:02:57,600 --> 00:02:58,860
When conducting patch management,

94
00:02:58,860 --> 00:03:00,180
it's really important to test

95
00:03:00,180 --> 00:03:02,550
any patch you receive from your manufacturer

96
00:03:02,550 --> 00:03:03,990
before you automate its deployment

97
00:03:03,990 --> 00:03:05,550
throughout your entire network.

98
00:03:05,550 --> 00:03:09,000
As I said before, a patch is designed to solve one problem,

99
00:03:09,000 --> 00:03:11,370
but it can also create new ones for you

100
00:03:11,370 --> 00:03:12,690
if you're not careful.

101
00:03:12,690 --> 00:03:14,160
Within your organization,

102
00:03:14,160 --> 00:03:16,320
you need to ensure that you have a small test network,

103
00:03:16,320 --> 00:03:18,990
a lab, or at the very least, a single machine

104
00:03:18,990 --> 00:03:21,030
that you're going to use for testing new patches

105
00:03:21,030 --> 00:03:23,700
before you deploy it across your entire network.

106
00:03:23,700 --> 00:03:25,590
After all, many of our organizations

107
00:03:25,590 --> 00:03:27,630
have unique configurations within our networks,

108
00:03:27,630 --> 00:03:29,760
and these patches can break things.

109
00:03:29,760 --> 00:03:32,190
So while a manufacturer tries to attempt

110
00:03:32,190 --> 00:03:34,500
to make sure that patch is not going to harm our systems,

111
00:03:34,500 --> 00:03:35,910
they cannot guarantee this

112
00:03:35,910 --> 00:03:38,370
because everyone has different configurations.

113
00:03:38,370 --> 00:03:40,050
Instead, it is better to find out

114
00:03:40,050 --> 00:03:42,270
if a patch is causing issues in your lab environment

115
00:03:42,270 --> 00:03:44,730
before you push it across 10,000 workstations

116
00:03:44,730 --> 00:03:46,860
across the entire enterprise network.

117
00:03:46,860 --> 00:03:47,760
'Cause if you do that,

118
00:03:47,760 --> 00:03:49,050
you're going to have a lot of end users

119
00:03:49,050 --> 00:03:52,050
yelling and screaming at you when their systems crash.

120
00:03:52,050 --> 00:03:54,150
Step three, implementation.

121
00:03:54,150 --> 00:03:56,340
After you've tested the patch, it's now going to be time

122
00:03:56,340 --> 00:03:58,200
to deploy it to all the workstations

123
00:03:58,200 --> 00:03:59,820
and servers that are going to need it.

124
00:03:59,820 --> 00:04:01,920
You can do this manually by going to each system

125
00:04:01,920 --> 00:04:03,360
and installing it yourself,

126
00:04:03,360 --> 00:04:06,180
or you can do it automatically by deploying that patch

127
00:04:06,180 --> 00:04:07,980
to your client workstations and servers

128
00:04:07,980 --> 00:04:09,960
using one of those tools like SCCM

129
00:04:09,960 --> 00:04:11,250
that we talked about earlier.

130
00:04:11,250 --> 00:04:12,990
This way, it will install the patch

131
00:04:12,990 --> 00:04:14,820
and move it into production for you.

132
00:04:14,820 --> 00:04:15,900
If you have a small network

133
00:04:15,900 --> 00:04:17,490
of just a few clients or servers,

134
00:04:17,490 --> 00:04:19,470
you may choose to install things manually

135
00:04:19,470 --> 00:04:22,019
and do it that way because it's really quick and easy

136
00:04:22,019 --> 00:04:23,400
and it costs no additional money

137
00:04:23,400 --> 00:04:25,020
by buying a third party tool.

138
00:04:25,020 --> 00:04:26,580
But if you have a large network,

139
00:04:26,580 --> 00:04:28,740
you're going to want to use some kind of tool.

140
00:04:28,740 --> 00:04:31,440
Microsoft provides this one known as SCCM,

141
00:04:31,440 --> 00:04:33,930
the Microsoft System Center Configuration Manager,

142
00:04:33,930 --> 00:04:36,330
but you can also use third party management tools

143
00:04:36,330 --> 00:04:37,560
with a lot more features

144
00:04:37,560 --> 00:04:39,900
and additional abilities if you want to.

145
00:04:39,900 --> 00:04:42,270
Now, some organizations rely on automatic updates

146
00:04:42,270 --> 00:04:43,920
from the Windows Update System,

147
00:04:43,920 --> 00:04:46,170
but others decide they want to have complete control

148
00:04:46,170 --> 00:04:47,940
over the installation of patches.

149
00:04:47,940 --> 00:04:50,610
For large organizations, it is highly recommended

150
00:04:50,610 --> 00:04:52,620
that you centrally manage all your updates

151
00:04:52,620 --> 00:04:53,910
through an update server

152
00:04:53,910 --> 00:04:56,370
instead of using the Windows Update Tool.

153
00:04:56,370 --> 00:04:57,780
This will allow you to test the patch

154
00:04:57,780 --> 00:05:00,390
prior to deploying it across your entire environment.

155
00:05:00,390 --> 00:05:02,400
To disable Windows Update on your clients,

156
00:05:02,400 --> 00:05:04,650
you simply need to disable the Windows Update Service

157
00:05:04,650 --> 00:05:07,230
from running automatically on those workstations.

158
00:05:07,230 --> 00:05:09,690
If you have a lot of mobile devices throughout your network,

159
00:05:09,690 --> 00:05:10,650
you also to figure out

160
00:05:10,650 --> 00:05:13,110
how you're going to do patch management for those devices.

161
00:05:13,110 --> 00:05:14,220
The easiest way to do this

162
00:05:14,220 --> 00:05:16,800
is by using a mobile device manager, or MDM,

163
00:05:16,800 --> 00:05:18,870
which works like one of these patch management servers,

164
00:05:18,870 --> 00:05:20,970
but has additional features as well.

165
00:05:20,970 --> 00:05:22,920
Alright, now, when you come to testing,

166
00:05:22,920 --> 00:05:25,260
you may not have your own dedicated test network

167
00:05:25,260 --> 00:05:26,730
or lab environment to use,

168
00:05:26,730 --> 00:05:28,380
but you still need to do testing.

169
00:05:28,380 --> 00:05:30,060
So what are you going to do?

170
00:05:30,060 --> 00:05:31,110
Well, one thing you can do

171
00:05:31,110 --> 00:05:34,140
is split up your production network into smaller groups.

172
00:05:34,140 --> 00:05:35,850
In organizations I've led in the past,

173
00:05:35,850 --> 00:05:37,530
we use the concept of patch rings

174
00:05:37,530 --> 00:05:39,180
when we deploy out new patches.

175
00:05:39,180 --> 00:05:40,200
In patch ring one,

176
00:05:40,200 --> 00:05:42,150
we have 10 or 20 end user machines

177
00:05:42,150 --> 00:05:43,890
that we'll deploy our patches to first.

178
00:05:43,890 --> 00:05:45,870
If it doesn't break anything on those machines,

179
00:05:45,870 --> 00:05:47,850
then we'll move out into patch ring two,

180
00:05:47,850 --> 00:05:49,740
which has a hundred or 200 people,

181
00:05:49,740 --> 00:05:51,690
and this will include things like our system administrators

182
00:05:51,690 --> 00:05:53,190
and our service desk workstations,

183
00:05:53,190 --> 00:05:55,830
so we can instantly figure out if things are going wrong.

184
00:05:55,830 --> 00:05:57,210
If that works successfully,

185
00:05:57,210 --> 00:05:58,830
we'll then go into patch ring three,

186
00:05:58,830 --> 00:06:01,350
which contains a thousand or 2,000 machines.

187
00:06:01,350 --> 00:06:03,390
And finally we'll move out to patch ring four,

188
00:06:03,390 --> 00:06:04,710
which includes everybody else,

189
00:06:04,710 --> 00:06:07,230
and that may be 10 or 20,000 machines.

190
00:06:07,230 --> 00:06:09,060
Now, the benefit of doing the deployments this way

191
00:06:09,060 --> 00:06:10,650
as we move through the various patch rings

192
00:06:10,650 --> 00:06:12,180
is that if there is an issue,

193
00:06:12,180 --> 00:06:14,370
I'm only affecting a smaller group of users

194
00:06:14,370 --> 00:06:16,740
before I break all the users on the network.

195
00:06:16,740 --> 00:06:18,180
If I did to everybody at once,

196
00:06:18,180 --> 00:06:19,950
I'd have 20 or 30,000 people

197
00:06:19,950 --> 00:06:21,630
who are complaining when things break.

198
00:06:21,630 --> 00:06:22,980
But by doing it in these smaller steps,

199
00:06:22,980 --> 00:06:25,710
I only have 10 or 15 people who are yelling at me

200
00:06:25,710 --> 00:06:27,450
and I can fix things quicker.

201
00:06:27,450 --> 00:06:29,610
All right, step four, auditing.

202
00:06:29,610 --> 00:06:31,470
Now, auditing is important to understand

203
00:06:31,470 --> 00:06:33,570
because you have to understand the client status

204
00:06:33,570 --> 00:06:35,640
after you conduct your patch deployment.

205
00:06:35,640 --> 00:06:36,960
So I pushed out the patch.

206
00:06:36,960 --> 00:06:38,010
Did it work?

207
00:06:38,010 --> 00:06:40,380
During auditing, you're going to be able to scan the network

208
00:06:40,380 --> 00:06:42,990
and determine if that patch that you pushed out to install

209
00:06:42,990 --> 00:06:44,430
actually installed properly,

210
00:06:44,430 --> 00:06:46,650
or are there any kind of unexpected failures

211
00:06:46,650 --> 00:06:47,610
that may have happened,

212
00:06:47,610 --> 00:06:49,620
and that meant that the patch wasn't really installed

213
00:06:49,620 --> 00:06:51,690
or isn't doing the protection it's supposed to do.

214
00:06:51,690 --> 00:06:53,040
Again, if you're using a tool

215
00:06:53,040 --> 00:06:55,500
like the Microsoft Systems Center Configuration Manager,

216
00:06:55,500 --> 00:06:58,290
SCCM, or a third party management tool,

217
00:06:58,290 --> 00:06:59,460
you'll be able to conduct scanning

218
00:06:59,460 --> 00:07:01,830
and verification of your workstations and servers

219
00:07:01,830 --> 00:07:04,140
to ensure that the patches have been installed properly

220
00:07:04,140 --> 00:07:05,490
and with no issues.

221
00:07:05,490 --> 00:07:07,590
Now, if you're using Linux or OSX,

222
00:07:07,590 --> 00:07:10,110
they also have built-in patch management systems.

223
00:07:10,110 --> 00:07:13,020
For example, Red Hat Linux uses a package manager

224
00:07:13,020 --> 00:07:16,230
to deploy RPMs, which are packages of patches

225
00:07:16,230 --> 00:07:17,790
to your servers and workstations.

226
00:07:17,790 --> 00:07:20,790
So the same concepts and principles are going to apply here.

227
00:07:20,790 --> 00:07:22,650
Now, in addition to conducting patch management

228
00:07:22,650 --> 00:07:24,450
across our workstations and servers,

229
00:07:24,450 --> 00:07:26,940
it's also important for us to conduct firmware management

230
00:07:26,940 --> 00:07:28,410
for our network devices.

231
00:07:28,410 --> 00:07:30,450
After all, all of our network devices

232
00:07:30,450 --> 00:07:32,160
are running some form of software,

233
00:07:32,160 --> 00:07:33,570
and this is known as firmware

234
00:07:33,570 --> 00:07:36,180
inside of our routers, our switches, our firewalls,

235
00:07:36,180 --> 00:07:38,160
and our other network appliances.

236
00:07:38,160 --> 00:07:40,260
If your network devices don't contain the latest

237
00:07:40,260 --> 00:07:41,970
and most up-to-date firmware versions,

238
00:07:41,970 --> 00:07:43,560
then you could have security vulnerabilities

239
00:07:43,560 --> 00:07:46,530
and software bugs that could be exploited by an attacker.

240
00:07:46,530 --> 00:07:48,630
If you look at the common vulnerabilities and exposures

241
00:07:48,630 --> 00:07:51,150
or CVE website, you're going to see a long list

242
00:07:51,150 --> 00:07:52,350
of vulnerabilities that we have

243
00:07:52,350 --> 00:07:54,690
for all sorts of different networking devices.

244
00:07:54,690 --> 00:07:55,950
Just select the Cisco devices

245
00:07:55,950 --> 00:07:57,930
and you'll see a long laundry list of those

246
00:07:57,930 --> 00:07:59,970
that have been patched and fixed over time.

247
00:07:59,970 --> 00:08:02,040
So just like you need to patch your operating system

248
00:08:02,040 --> 00:08:03,660
for a Windows or Linux computer,

249
00:08:03,660 --> 00:08:05,430
you also need to update the operating system

250
00:08:05,430 --> 00:08:06,960
of your network devices.

251
00:08:06,960 --> 00:08:10,200
In a Cisco device, this is known as the Cisco IOS

252
00:08:10,200 --> 00:08:12,450
or Internetwork Operating System.

253
00:08:12,450 --> 00:08:14,220
Now, to update the IOS version,

254
00:08:14,220 --> 00:08:17,370
you need to flash the firmware on that networking device.

255
00:08:17,370 --> 00:08:19,230
Some manufacturers like Cisco

256
00:08:19,230 --> 00:08:20,400
provide a centralized method

257
00:08:20,400 --> 00:08:21,720
of conducting firmware management

258
00:08:21,720 --> 00:08:23,370
inside your enterprise network,

259
00:08:23,370 --> 00:08:25,350
and this helps with our patch management.

260
00:08:25,350 --> 00:08:28,530
For example, Cisco uses the Cisco UCS Manager

261
00:08:28,530 --> 00:08:30,780
to centralize the management of resources and devices

262
00:08:30,780 --> 00:08:32,549
and to conduct firmware management

263
00:08:32,549 --> 00:08:35,520
for your server network interfaces and server devices.

264
00:08:35,520 --> 00:08:36,960
There's also third party tools

265
00:08:36,960 --> 00:08:38,970
like Device Expert by Manage Engine

266
00:08:38,970 --> 00:08:40,620
that allow you to upgrade, downgrade,

267
00:08:40,620 --> 00:08:42,840
and manage the configuration of the firmware

268
00:08:42,840 --> 00:08:44,310
for all of your network devices

269
00:08:44,310 --> 00:08:47,130
using automation, orchestration, and scripting.

270
00:08:47,130 --> 00:08:48,660
The bottom line here is that you need

271
00:08:48,660 --> 00:08:49,920
to do firmware management

272
00:08:49,920 --> 00:08:51,690
to ensure you have the right firmware versions

273
00:08:51,690 --> 00:08:53,460
loaded onto those network devices

274
00:08:53,460 --> 00:08:54,840
to ensure that you have the right security

275
00:08:54,840 --> 00:08:56,100
for those devices,

276
00:08:56,100 --> 00:08:58,080
just like we do with our workstations and clients

277
00:08:58,080 --> 00:08:59,530
when we use patch management.