Operational Excellence Webinar Series Patch Management Dynamics of

Operational Excellence Webinar Series Patch Management Dynamics of (in)security ReBIT in collaboration with Sequretek & Kotak Bank http://webinar.rebit.org.in Webinar support from Cisco

Agenda Anand Naik Co-CEO of Sequretek Ninad Chavan Patch and Vulnerability Management Best Practice Case Study at Kotak Information Security Governance, Kotak Agnelo D’souza Moderator CISO Kotak Vivek Srivastav Agenda: ReBIT’s Industry Initiatives Stats on Patching Security Vocabulary Patch and Vulnerability Management Best Practices Case Study at Kotak Bank Q/A Sessions Moderator SVP-R&I, ReBIT 2

ReBIT’s Industry Initiatives Securing the Financial Sector 3

Business Leader’s - Forum Community Leadership - WG Operational Excellence Research Institutions Industry Stakeholders ReBIT’s Facilitator Role 4

Cybersecurity Assessment Tools VAPT Accreditation Body Cybersecurity Assessment Framework WG Auditing and Monitoring Tools Regulatory Technologies & Reporting Auditing and Monitoring Cybersecurity Awareness Campaign Business Leader’s Forum ReBIT’s Industry Initiatives Operational Excellence Webinar (monthly): Industry initiatives to improve cybersecurity postures Cybersecurity Maturity Model - WG DMARC Webinar - with PayPal & ICICI Bank – May 11th Patch Management – Dynamics of (in)security – July 4th Upcoming FIDO DNSSEC & DNS Governance IR 6-months effort: Kicked off in Feb, ongoing industry initiative to define a uniform yardstick to assess a firm’s cybersecurity maturity, benchmark and help create evolution roadmap 5

Vulnerability and Patch Management Some statistics 6

Patching Vulnerability Recent incident of Petya/NotPetya and WannaCry underscores the importance of Patch Management 77% of the total vulnerabilities are because of either poor patching or poor configuration Edgescan 2016 Stats Report 7

How fast are we fixing vulnerabilities? Edgescan 2016 Stats Report 8

Median number of days for vulnerability exploit Source: Recorded Future - Week to Weak: The Weaponization of Cyber Vulnerabilities, 2014 9

Security Vocabulary Talk about security like a pro Source attribution: Cisco 10

Vulnerability Vulnerability A weakness, design or coding error, or lack of protection in a product that enables an attack. Lack of protection against code injection Mishandling of unexpected conditions Insufficient enforcement of authentication and authorization “What do you mean, vulnerable? It works the way I designed it to!”

Threats Threat A potential danger that could cause harm to information or a system Product Threat Agent Threat Agent An entity that exploits a threat

Exploits and Attacks Exploit A practical method to take advantage of a specific vulnerability Attack The use of an exploit against an actual vulnerability Attack Vector A theoretical application of an exploit “Exploits and attacks go hand in hand ” Zero-Day Attack An attack that exploits a previously unknown vulnerability for which there is not yet a defense

Exposure Exposure 1. The probability and severity of an attack using a specific exploit 2. Time between the announcement of a vulnerability and a suitable patch 3. Any information leak that facilitates an attack Close calls still count! Whether or not an attack is successful, an exposure has still occurred.

Mitigation Mitigation A strategy for reducing or eliminating the severity of a security issue A few examples Reduction in attack surface PI (Platform Independent) code Security education and training Run time defenses Defensive coding Security features (encryption, packet Secure code review filtering, logging)

Mitigation Mitigation A strategy for reducing or eliminating the severity of a security issue And the most important Vulnerability and Patch Management

Patch Management Best Practices Deep Dive 17

ReBIT Operational Excellence Webinar Series Patch Management - Dynamics of (in)security http://webinar.rebit.org.in Visit for future webinars and events 18

19