One of the biggest complaints or problems facing system administrators today is keeping current with the latest vulnerabilities. With so many identified and noted in various forums, how do system administrators know which ones to address? The same dilemma faces incident response teams. For incident handlers, the situation is often even more complex because they have more operating systems about which to be knowledgeable. How does the team keep current?
Several resources may be used to accomplish this goal. Advisories and alerts provided by other teams and vendors can be excellent tools with which to keep abreast of the latest holes and fixes. CERT CC advisories, in particular, should be monitored closely for alerts of serious problems. Advisories or postings from other teams and security groups can also provide valuable information regarding a new vulnerability.
Vendor advisories for specific systems covered by the team should be monitored as well. Patches or fixes available from the vendor should be identified in the announcement. Many vendors forward their alerts to the CERT CC, which also posts their announcements on the center's Web site. Some vendors include special notes concerning the fix that should be carefully considered before any action is taken. For example, a vendor may indicate a temporary fix is available that has not been thoroughly tested. In this case, the potential threat posed by the vulnerability must be balanced against the potential problems that may be encountered by installing a temporary fix to determine whether action should be taken immediately.
Some vendors now offer alert services that are tailored to the organization. For a fee, this service provides daily, weekly, or monthly updates through a subscription-based service geared to the operating systems and programs present in the organization. Typically the updates will rank the severity of the threats identified. Some organizations offer the service with a focus on intelligence gathering, drawing information from additional resources that may provide indications and warnings of potential threats. The type of information and spin given to each advisory or report varies between service providers and should be selected based on the specific needs of the team.
The following avenues may also be used to keep current:
Mailing lists and newsgroups available on the Internet provide additional sources of information for keeping current. Some lists and newsgroups are better than others, and sometimes the team must sift through a lot of information to find the most applicable or valuable pieces.
Technical groups such as the Forum of Incident Response and Security Teams (FIRST) and InfraGard (both of which were described earlier in this book) can be valuable sources for establishing contacts to provide guidance on specific issues as well as updates to the latest vulnerabilities.
Conferences can be a valuable source of information on the latest tools, attacks, and responses. Some conferences, such as those sponsored by the SysAdmin, Audit, Network, Security (SANS) Institute, offer training that can lead to certifications.
Training from both internal and external sources can provide updates on vulnerabilities, threats, and the latest developments for addressing those threats.
Trade publications, books, and magazines may be useful for researching various subjects.
A team cannot afford to rely strictly on one source of information to keep current with vulnerabilities and countermeasures. The best approach is to utilize a combination of resources with time slotted for team members to conduct research. Despite the best efforts to stay up-to-date, remember to always be prepared for the unexpected.