Evaluation flowcharts can help determine risk and associated patching timelines for critical security bulletins.
I recently had the opportunity to help a client perform a risk evaluation on Microsoft Security Bulletin MS12-020 related to RDP vulnerabilities that could allow remote code execution without authentication. It was rated at Critical by Microsoft. At the time of release, it was suggested this would be a potential for large scale exploit. Shortly after release of the security bulletin, proof-of-concept exploit code was released.
The evaluation flowchart below helped our client define their timeline for patching, either immediately or during normal monthly system maintenance depending on answers to the questions in the risk evaluation process.
Hopefully the Patching and Vulnerability Team in your organization evaluates critical security bulletins and vulnerability announcements in a similar way to determine applicability, scope, and risk in your environment. Having a risk evaluation process embedded in your team, plus simple tools like this should ensure that (1) you don’t miss the critical stuff and expose your systems to threats needlessly; and (2) you don’t over-react and become the boy who cried wolf.
Contact me if you want the Visio diagram below to seed your next critical security bulletin evaluation.
Definition of Accessible
The system can be accessed by systems on the Internet or by business partners through a firewall. Accessible by systems internal to client is not in scope.
Definition of NLA
Network Level Authentication is an authentication method that can be used to enhance RD Session Host server security by requiring that the user be authenticated to the RD Session Host server before a session is created.
Network Level Authentication completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.
Steve Lodin is a consultant with Pondurance and has been a CISSP since 1998.