206 7.6 System Patches
Next, capture the needs and uses for all applications and services
intended to be run on the server. For each server, it is good practice to for-
mally design the operating system build, including procedures and han-
dling recommendations. A “deny all, add essential” philosophy should be
taken to adding any features to the operating system builds to prevent
unnecessary services from running. All configuration information for the
build should be fully documented and put into a change control process.
Any future changes to the specification should go through a change control
and approval process.
For every server used in the organization, implement the server accord-
ing to a designated, change-managed, build specification. Test the server
implementation to ensure it is properly hardened. There are many docu-
ments and resources available on the Web to show how to configure partic-
ular operating systems, such as Windows, Linux, Solaris, and so on, for a
hardened configuration. A good starting point is the CERT
©
Coordination
Center Web site [2]. Once properly configured, the hardened server is ready
for the installation of the business-essential applications it will support.
These applications should be carefully scrutinized, as many applications
install with default settings that enhance performance rather than security.
After the necessary applications have been installed, it is important to
develop a “run book” documenting the “how to” actions needed to sustain
the hardened server in proper configuration. When the server is ready for
production, and all items have been fully documented in the “run book,”
the final step is to deliver a hardening build specification document to the
IT administration group to ensure the server is managed according to orga-
nizational security standards.
7.6 System Patches
Software support should incorporate a process to update and patch operat-
ing system and application software for new vulnerabilities. Frequently,
security vulnerabilities are discovered in operating systems and other soft-
ware after deployment. Vendors often issue software patches to correct
those vulnerabilities. Organizations should have an effective monitoring
process to identify new vulnerabilities in their hardware and software. Mon-
itoring involves such actions as the receipt and analysis of vendor and gov-
ernmental alerts and security mailing lists. Once identified, secure
installation of those patches requires a process for obtaining, testing, and
installing the patch. Patches make direct changes to the software and con-
figuration of each system to which they are applied. They may degrade sys-
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
