Support Period & Vulnerability Disclosure Policies

Patch & Vulnerability

Duress Internal Documents

How we fix any issues.

Patch and Vulnerability Standard

Standard Security configurations in line with policy and vendor recommendations must be maintained for all systems. Patch and vulnerability management (assessment and remediation) must be formalised through a documented and approved process. The process must address the following requirements:

a) Scope and justify systems applicable to the process from a risk perspective referencing the asset inventory.
b) Evaluate the operational risk associated with reported vulnerabilities and prioritise remediation actions to manage the identified risk.
c) Establish roles and responsibilities associated with technical patch/vulnerability management. These roles specify who is responsible for:

• Vulnerability monitoring - those receiving the notification alerts from vendors and other security advisory groups.
• Vulnerability risk assessment - those assessing the impact on the environment and setting the priorities.
• Authorisation - for the change control to apply patches.
• Patch verification - those testing and applying the patches.
• Patch management - those tracking the distribution of the patches across Duress’s environment for all production systems.

d) Coordination responsibilities - how the vulnerability notification and patch application are communicated across the various groups that are responsible for patch deployment.

• Include a sub-process for monitoring, vendors announcements regarding the end of life of their technology platforms (software and hardware).

System owners are responsible for ensuring that Duress Information Resources are patched and are not exposed to known vulnerabilities. Technical vulnerabilities reported by vendors and security advisory groups must be dealt with in a timely manner.

Patches

Patches are applied to the production environment in a timely manner ensuring the environment is operating at an optimum level. When patches are not readily available, or deployment has an unacceptable adverse impact on business, the Security Operations Team need to consider the applicability of the following

mitigating risk management controls:

• Network filtering
• Increased monitoring
• Awareness training/communications
• Virtual patching
• Temporarily disabling impacted services/features

All patches are subject to Security Acceptance Testing and User Acceptance Testing (UAT) to ensure patches, don’t impact the operational security posture or have a detrimental effect on the production environment.

Vulnerability Testing & Remediation

To understand the risk and respond appropriately to vendor Zero-Day vulnerabilities the Incident Management Policy must be invoked. Specific security testing activities must be conducted to identify vulnerabilities in IT infrastructure and services on an ongoing basis. These include:

a) Vulnerability Scanning – To baseline the vulnerability posture, validate the patching process by identifying un-patched systems.
b) Configuration Reviews – Automated validation of approved security baseline configurations for application, server O/S, network, and end-user systems.
c) Invalid Change Validation – Leverage the configuration review process to confirm that only approved configuration changes were actioned.
d) Penetration Tests – To test the effectiveness of the security controls implemented or to validate an identified weakness in a control that has been identified during the design review or product evaluation phase. The following criteria must be considered when establishing the need for a penetration test:

- Regulatory requirements.
- Type of system e.g., Internet or internal facing.
- Data Classification (Data Classification Standard).

Vulnerability levels for security issues

Duress has adopted the CVSS scoring method for each specific vulnerability.

Severity Level

Low 0.1 – 3.9 - 24 hours
Medium 4.0 – 6.9 - 8 hours
High 7.0 – 8.9 - 4 hours
Critical 9.0 – 10.0 - 1 hour

Below are some examples of vulnerabilities that may result in each severity level.

Severity Level: Critical

Vulnerabilities that score in the critical range usually have most of the following characteristics:

• Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
• For critical vulnerabilities, is advised that you patch or upgrade as soon as possible unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.

Severity Level: High

Vulnerabilities that score in the high range usually have some of the following characteristics:

• The vulnerability is difficult to exploit.
• Exploitation could result in elevated privileges.
• Exploitation could result in significant data loss or downtime.

Severity Level: Medium

Vulnerabilities that score in the medium range usually have some of the following characteristics:

• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities where exploitation provides only very limited access.
• Vulnerabilities that require user privileges for successful exploitation.

Severity Level: Low

Vulnerabilities in the low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access. Vulnerabilities in third-party code that are unreachable from Duress code may be downgraded to low severity.