实现程序补丁_在家办公环境中的补丁程序管理

最新推荐文章于 2022-01-08 18:04:27 发布

weixin_26722031

最新推荐文章于 2022-01-08 18:04:27 发布

阅读量261

点赞数

文章标签：小程序 ViewUI

原文链接：https://medium.com/enterprise-nxt/patch-management-in-a-work-at-home-world-c10bb70cfd84

版权

实现程序补丁

By Larry Seltzer

拉里·塞尔兹(Larry Seltzer)

Originally published on May 29, 2020, on Hewlett Packard Enterprise’s Enterprise.nxt, publishing insights about the future of technology.

最初于2020年5月29日发布在Hewlett Packard Enterprise的 Enterprise.nxt上 ，发布了有关技术未来的见解。

当员工在家工作时，将更新交付和安装到客户端系统可能很棘手，但是可以而且必须做到。 (Delivering and installing updates to client systems may be tricky when employees are working at home, but it can and must be done.)

Patching software, especially when updates are delivered on a regular schedule, has gotten to be a much more routine and stress-free process in recent years. Now, the shift to so many employees working at home has thrown a monkey wrench into that smooth-running machine, but it still seems to be running well enough.

近年来，补丁软件(尤其是在定期交付更新时)已变得更加常规且轻松无忧。现在，转移到如此多的在家工作的员工，已经把猴子扳手扔进了那台运转平稳的机器上，但它似乎仍然运转良好。

It’s reasonable to suspect that recent changes, with tech companies and their customers working from home, would cause problems for the update process. I assumed as much in a story I wrote in mid-March, as the quarantines were beginning. Google had just announced a pause in Chrome and Chrome OS updates, and I jumped to a number of conclusions:

有理由怀疑，随着科技公司及其客户在家中工作，最近的更改会导致更新过程出现问题。在隔离开始之初，我在3月中旬撰写的一个故事中承担了很多责任。 Google刚刚宣布暂停Chrome和Chrome OS的更新，我得出了一些结论：

Other software companies would follow suit.
其他软件公司也会效仿。
The risks associated with update problems had increased as a result of the quarantines.
隔离导致与更新问题相关的风险增加了。
The work-at-home shift might slow the ability of software companies to create and deliver updates.
在家工作轮班可能会减慢软件公司创建和交付更新的能力。

修补继续 (Patching goes on)

I was wrong. Two days after announcing the pause, Google released an update to the Stable Channel for Chrome OS. Not long thereafter, Google officially unpaused and announced the state of its update schedule.

我错了。宣布暂停后两天， Google发布了Chrome操作系统稳定频道的更新。此后不久， Google正式取消暂停并宣布了更新时间表的状态。

I saw no other large companies pause their own updates, and in fact, many issued out-of-band updates, including Microsoft, Adobe, and VMware. April’s Microsoft Patch Tuesday proceeded on schedule, patching a robust 113 vulnerabilities total.

我没有看到其他大公司暂停他们自己的更新，实际上，许多已发布的带外更新，包括Microsoft ， Adobe和VMware 。 4月的Microsoft补丁星期二如期进行，共修复了113个漏洞。

I was wrong for several reasons:

我错了有几个原因：

The big software companies appear to be capable of functioning at normal capacity.
大型软件公司似乎能够正常运行。
Updates don’t typically cause problems that would be worse in a work-at-home world.
更新通常不会导致在“在家工作”的世界中更加严重的问题。
The risks of not releasing updates far outweighed any theoretical increase in risks from releasing them.
不发布更新的风险远远超过发布更新的理论风险。

My real mistake was in not understanding the third point above intuitively. We have a long, well-understood history of what happens when software vulnerabilities are left unpatched. They leave you vulnerable to data breaches, theft, ransomware, and whatever other evil things criminals all over the world think up.

我的真正错误是无法直观地理解上述第三点。对于未修补软件漏洞时发生的事情，我们有很长的，很容易理解的历史。它们使您容易受到数据泄露，盗窃，勒索软件以及世界各地犯罪分子想出的任何其他邪恶事物的攻击。

补丁：发生了什么变化？ (Patching: What has changed?)

I spoke with Stephen Boyer, CTO and co-founder of BitSight, which provides security ratings services and analytics for cybersecurity risk management, about what software updates have changed for his clients in the work-at-home era.

我与BitSight的首席技术官兼联合创始人Stephen Boyer进行了交谈，该公司为网络安全风险管理提供安全等级服务和分析，以探讨在在家办公时代为其客户改变了哪些软件更新。

Boyer says there are definitely new challenges to patching in a work-at-home world. The difficulty of those challenges depends on your circumstances and capabilities, so there may be no clear advice anyone can provide without knowing your situation. You’ll have to figure it out.

博耶说，在家工作的世界中打补丁肯定存在新的挑战。这些挑战的难度取决于您的情况和能力，因此在不了解您的情况的情况下，可能没有任何人可以提供明确的建议。您必须弄清楚。

For instance, if your employees don’t all have company laptops, they’re probably doing work on their own home PCs (and Macs). Your employees didn’t choose to work at home, and if you’re expecting them to use their own computers for work, you’re going to have to have a lot of nerve to tell them what they can and can’t run on their own computers.

例如，如果您的员工都没有公司笔记本电脑，那么他们可能正在自己的家用PC(和Mac)上工作。您的员工没有选择在家工作，并且如果您希望他们使用自己的计算机上班，那么您将不得不大胆地告诉他们可以做什么和不能做什么自己的电脑。

Think about it-this is a hard problem, for several reasons:

考虑一下-这是一个难题，原因如下：

If you’re going to stick to your vigilant security policies for employee personal equipment, you’re going to need to manage those systems. Do you really want to go there?
如果要对员工个人设备坚持警惕的安全策略，则需要管理这些系统。你真的要去那里吗
If you don’t manage them, are you no longer in compliance with regulations for your business?
如果您不对它们进行管理，那么您是否不再遵守业务法规？
Are they patched properly? If you’re not managing the systems, how do you know if the OS, BIOS, and applications are up to date? Can you trust the employee to accurately and completely describe what they see on the screen to you?
他们打好补丁了吗？如果您不管理系统，怎么知道OS，BIOS和应用程序是否是最新的？您能否信任员工准确，完整地向您描述他们在屏幕上看到的内容？

If you have no choice but to have employees work on personal equipment, the minimum and perhaps the best you can do, is to tell them, in general terms, to follow best practices: Set the operating system and applications to auto-update; do not use default or weak passwords; if at all possible, do not do personal computing on the device used for work; and a dozen other things that one cannot reasonably expect non-technical employees to do.

如果您别无选择，只能让员工从事个人设备的工作，那么您可以说的最低限度甚至最好的做法是，告诉他们遵循最佳实践：设置操作系统和应用程序为自动更新；不要使用默认密码或弱密码；尽可能不要在用于工作的设备上进行个人计算；以及其他一些非技术人员无法合理预期的事情。

重载公司网络 (Overloading company networks)

It’s normal for companies to issue software updates to end-user systems over the company LAN using WSUS (Windows Server Update Services) or a third-party equivalent. If all those end-user systems are at homes, then all those updates will be sent out through the company gateway onto the Internet. This may be expensive, and it may, periodically, hog bandwidth to the point that other necessary traffic is slowed.

公司通常使用WSUS(Windows Server Update Services)或第三方等效产品通过公司LAN向最终用户系统发布软件更新。如果所有这些最终用户系统都在家中，则所有这些更新将通过公司网关发送到Internet。这可能很昂贵，并且可能会周期性地将带宽浪费到其他必要流量变慢的地步。

Boyer says that this is a problem only if it’s a problem, meaning that if you have the bandwidth, it’s not a problem. If you don’t have the bandwidth, you may have to resort to having users get updates from the vendors directly. There are theoretical problems with this, but in the current scheme of things, they are minor. Anything that slows down the application of security patches is a threat to be mitigated.

博耶说，这只有在有问题的情况下才是问题，这意味着如果您有带宽，那不是问题。如果没有带宽，则可能不得不求助于用户直接从供应商那里获取更新。这样做有理论上的问题，但是在当前的方案中，它们很小。任何减慢安全补丁应用速度的措施都是可以缓解的威胁。

The same “it’s a problem only if it’s a problem” logic goes for your virtual private network. You’ll probably find yourself with a sudden surge in usage of the VPN. Sometimes increasing capacity is just a matter of shelling out the money for it, and you certainly have the excuse. But can you afford to run on your VPN all the clients that were previously on your LAN? Likely not. You’ll have to make the same kind of compromises, shifting, for example, some users of Office 365 off the VPN.

虚拟专用网络也采用了同样的“只有问题才有问题”的逻辑。您可能会发现自己对VPN的使用突然增加。有时，增加容量只是为此花钱的问题，您当然有借口。但是您能负担得起在您的VPN上运行局域网中所有以前的客户端吗？可能不会。您必须做出相同的妥协，例如，将Office 365的某些用户转移到VPN之外。

And do you run all your Windows Updates through the VPN on the second Tuesday of the month? Not likely.

您是否在当月的第二个星期二通过VPN运行所有Windows更新？不见得。

When you shift the jargon of our current situation around a bit, the craziness of it becomes apparent. Some of Boyer’s customers have 70,000 employees working at home. You can think of them as 70,000 branch office locations, with the attack surface of the company growing by many orders of magnitude. Suddenly the management problems look even worse and the threats scarier.

当您稍微改变一下我们当前形势的术语时，就会发现它的疯狂性。博耶的一些客户在家中有70,000名员工。您可以将它们视为70,000个分支机构地点，而公司的受攻击面却增长了多个数量级。突然之间，管理问题看起来更加严峻，威胁更加可怕。

Boyer’s financial services customers are especially concerned. Such companies typically have large numbers of employees who (normally) work only at the company location on company equipment. This makes it easier, maybe even possible, to enforce regulatory requirements. Now, the company has no choice but to have them work remotely. These companies are right to be concerned and are probably willing to throw whatever money they can at the problem to mitigate it.

博耶的金融服务客户尤为关注。这样的公司通常有大量的员工(通常)仅在公司设备上的公司位置工作。这使得执行法规要求变得更加容易，甚至可能。现在，该公司别无选择，只能让他们远程工作。这些公司关心的事情是正确的，并且可能愿意在解决问题上投入所有的金钱。

威胁行为者升级 (Threat actors escalate)

Government agencies and security vendors have recently reported a surge of security attacks, some scams related to the COVID crisis but also a lot more conventional attacks, such as malware, phishing, and vulnerability exploits.

政府机构和安全厂商最近报告说，安全攻击激增，一些与COVID危机有关的骗局，但也有很多传统攻击，例如恶意软件，网络钓鱼和漏洞利用。

An alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, Department of the Treasury, IRS, and Secret Service describes a wide range of COVID-related scams. A memo from NASA’s CIO to his agency describes a doubling of phishing attempts against NASA-an “exponential increase in malware attacks on NASA systems”-and urges attentiveness to the problem.

警报从美国国土安全部的美国国防部网络安全和基础设施安全局，在财政部，国税局和特勤局介绍了广泛COVID相关的诈骗。 NASA的CIO给他的代理机构的一份备忘录描述了针对NASA的网络钓鱼尝试次数增加了一倍，即“对NASA系统的恶意软件攻击呈指数级增长”，并敦促对此问题予以关注。

The NASA CIO also recommends that users always be on the VPN when doing work. This is a good idea, but it raises the fact that malicious attacks on VPNs have been on the increase of late. It’s worth double- or even triple-checking that your networks and clients are running the most up to date versions of your VPN’s software and that if there are any unpatched problems, you have taken whatever mitigating actions you can.

NASA CIO还建议用户在工作时始终使用VPN。这是一个好主意，但它提出了一个事实，即对VPN的恶意攻击近来呈上升趋势。值得反复甚至三重检查，以确保您的网络和客户端运行的是VPN软件的最新版本，并且如果有任何未解决的问题，则您将采取任何缓解措施。

This is why BitSight’s Boyer stressed the need for multifactor authentication, especially on the VPN. The company’s high value has made it a high-priority attack target, sometimes by phishing, sometimes through vulnerabilities in the VPN itself. If IT doesn’t apply the latest update to the VPNs promptly, it leaves the company especially vulnerable.

这就是为什么BitSight的Boyer强调了对多因素身份验证的需求，尤其是在VPN上。该公司的高价值使其成为了高优先级的攻击目标，有时是通过网络钓鱼，有时是通过VPN本身的漏洞进行攻击。如果IT部门没有及时将最新更新应用于VPN，则会使公司特别容易受到攻击。

混合家庭/公司网络 (The hybrid home/company network)

Boyer emphasizes the low quality of security on home networks. It’s common to find old equipment, no longer being updated by the vendor, and Wi-Fi networks and admin accounts with default passwords. Plus, virtually all the encryption used on home wireless networks is easily breakable.

博耶强调家庭网络上的安全质量低下。通常会发现旧的设备(不再由供应商更新)以及带有默认密码的Wi-Fi网络和管理员帐户。此外，几乎所有在家庭无线网络上使用的加密都是很容易破解的。

One way to address this problem is to send the employee a separate wireless access point, preconfigured, perhaps even with a VPN in it. There are difficulties with this approach, though: Do you have 70,000 of them or however many you’ll need? And can you expect your employees to connect them properly? Does the employee even have a free Ethernet port on their cable modem?

解决此问题的一种方法是向员工发送单独的无线访问点，该访问点已预先配置，甚至可能带有VPN。但是，这种方法存在一些困难：您是否有7万个，或者您需要多少？您能期望您的员工正确地连接他们吗？员工的电缆调制解调器上甚至有一个免费的以太网端口吗？

In fact, the average home network is no place to do secure computing. It doesn’t have the right equipment, and the staff (probably the worker’s teenager) lacks the experience and expertise.

实际上，普通的家庭网络无处进行安全计算。它没有合适的设备，并且员工(可能是工人的少年)缺乏经验和专业知识。

One often hears about how hackers will gain a foothold on a corporate network and then move laterally, from system to system, across network segments, exploiting vulnerabilities and weak passwords along the way, looking for the really valuable assets. Imagine how much easier this is to do on the average home network.

人们经常听到黑客如何在企业网络上立足，然后在系统之间跨网络段横向移动，利用漏洞和弱密码，寻找真正有价值的资产。想象一下，在普通的家庭网络上这样做有多容易。

最小化问题 (Minimize the problems)

For most companies, there is no practical way to maintain the same level of security with employees working at home as there was when they were working in the company’s offices. The best you can hope for is to minimize the problem.

对于大多数公司而言，没有切实可行的方法来维持与在家中工作的员工相同的安全级别。您所希望的最好的办法就是使问题最小化。

The one best guidance you can follow is to minimize the attack surface. In this context, the best remote access method is probably VDI (virtual desktop infrastructure) or some other terminal interface, combined with a client security agent that can do keylogging and screen scraping.

您可以遵循的最佳指导之一是最小化攻击面。在这种情况下，最好的远程访问方法可能是VDI(虚拟桌面基础结构)或某些其他终端接口，并与可以进行键盘记录和屏幕抓取的客户端安全代理结合使用。

The VDI part is easy to deploy to just about any system, as the client programs are small and simple and there is usually a way to connect using a browser. The client agent could be trickier, especially if the home PC is already running security software. It would be better than nothing if the user’s system is running a security client and that client is kept up to date, although you won’t be managing or getting security events from that client.

VDI部分易于部署到几乎所有系统，因为客户端程序既小又简单，并且通常有一种使用浏览器进行连接的方法。客户端代理可能会比较棘手，特别是如果家用PC已经在运行安全软件。如果用户的系统正在运行安全客户端并且该客户端保持最新状态，那将总比没有好，尽管您将不会从该客户端管理或获取安全事件。

Another way to minimize the attack surface is for the client system to always be on the company VPN.

最小化攻击面的另一种方法是使客户端系统始终位于公司VPN上。

你可以做什么和不能做什么 (What you can and can’t do)

If your users are running company-managed systems at home, you should be in good enough shape, as long as the users follow some common-sense precautions. Always be on the VPN, and don’t do anything personal on the system that you wouldn’t do for work. If, in spite of any security software, malware gets onto the system because the user was careless, there may be little the company can do to stop it.

如果您的用户在家中运行公司管理的系统，则您的状态应该足够好，只要用户遵循一些常识性的预防措施即可。始终使用VPN，不要在系统上不做任何私人工作。如果尽管有任何安全软件，但由于用户粗心而使恶意软件进入系统，则公司可能无能为力阻止它。

If your users are doing company work on their own computers, there is a limit to how secure you can reasonably expect them to be. Actively managing employees’ personal systems and supplying them with necessary security products is going to be too difficult and expensive. You may as well buy them a new PC and outfit it properly.

如果您的用户在自己的计算机上进行公司工作，则可以合理预期他们的安全性将受到限制。积极地管理员工的个人系统并为其提供必要的安全产品将变得非常困难且昂贵。您不妨为他们购买一台新PC并正确安装它。

In the meantime, tell them to set everything to auto-update and urge them to follow all the other best practices. But you’ll have to accept that employees computing at home, especially on their own equipment, is less secure than it is in the office.

同时，告诉他们将所有内容设置为自动更新，并敦促他们遵循所有其他最佳实践。但是您必须接受的是，在家中进行计算的员工(尤其是使用自己的设备进行计算)比办公室中的安全性低。

在家工作中打补丁：领导者的经验教训 (Patching in a work-at-home world: Lessons for leaders)

Minimize the number of employees using personal equipment.
尽量减少使用个人设备的员工人数。
Get as many at-home employees as possible on the VPN, and require two-factor authentication for the VPN.
在VPN上吸引尽可能多的在家工作的员工，并要求对VPN进行两步验证。
In the long term, plan for VDI over a VPN, with a strong endpoint security agent, as the remote access configuration for the company.
从长远来看，计划通过具有强大端点安全代理的VPN上的VDI作为公司的远程访问配置。