Managing vulnerabilities is a significant challenge for many organisations, with the main difficulties manifest in two key areas, writes Brian Chappell. The first is that the list isn’t static. It seems that new vulnerabilities are discovered almost daily, adding to our list (assuming we’re scanning regularly, of course). In what are considered relatively small environments, the list of vulnerabilities can run into the thousands. For enterprises, it can seem like a tsunami of vulnerabilities. The other key area of concern revolves around the vulnerabilities that need to be addressed first.
Many organisations sort their list by severity, starting with high severity and working down through the medium, low and finally the informational vulnerabilities. Others will use CVSS score or PCI severity.
For smaller environments with a few tens or hundreds of systems it may be possible to reach the bottom of the list. For many, however, the task of completing the high severities alone can seem insurmountable (and very often is).
The primary objective should be to discover which of those vulnerabilities pose the greatest risk to your organisation and severity, or CVSS score or PCI severity, simply isn’t enough. If you can mitigate the vulnerabilities through which you are most likely to be attacked as Task #1 then you can reduce the attack surface you’re presenting to the outside world quite dramatically.
In the States, Kmart and David Jones have both recently suffered intrusions via WebSphere vulnerabilities. While we don’t have specifics on which vulnerabilities were actually used, there’s speculation in the press that both were related to one recently discovered. According to the National Vulnerability Database, there have been 235 WebSphere vulnerabilities discovered (or updated) in the past three years alone. Like the vulnerability suspected of being used, many of those are medium severity vulnerabilities.
If our list of vulnerabilities has thousands of high severity vulnerabilities with more being added on a daily basis, how will we ever reach those that might cause immediate harm?
Vulnerability management solution choice is critical
The tool you choose needs to understand what turns a vulnerability into a significant risk to your environment. That’s the availability of an exploit. For a hacker, a vulnerability without a known exploit is similar to someone having to navigate the outskirts of the city to get to the other side of a busy street harbouring fast-moving traffic. It’s a lot of work to reach the end goal, but if there’s a clearly-signed crossing anyone would take that route. It’s easy.
Hackers are using vulnerability scanners. They’re looking for the same information as you. They’re comparing the discovered vulnerabilities to the lists of exploits they have to hand. If they find an IP address with an easily exploitable vulnerability, then it’s simple to access the system and take a look around. If there’s something of value then we’re going to hear about it in the press. If not, no-one may ever know.
The picture of the hacker spending hours, days, weeks or even months to break into your network is the exception. The hacker needs to know there’s value in ‘breaking and entering’. For many, it’s just a drive-by/opportunist activity.
You need tools that will not only find all of the vulnerabilities across all your platforms. Not just Windows, Linux and Unix, but also infrastructure devices such as Cisco and Juniper, etc. What about mobile devices: Android, iOS, BlackBerry, Windows Phone? Then there’s Cloud systems such as AWS, GoGrid and Rackspace, etc.
Wherever your data lives, you need to be scanning, but that’s just adding vulnerabilities that need to be worked through. If your tool gives you the number of known exploits available for each vulnerability (including exploit toolkits) then we have a much better filter to target our efforts.
If you mitigate the vulnerabilities with known exploits first then you are no longer an easy target: the hacker is much more likely to move along. You are receiving the biggest return for your investment and the largest reduction in risk for the effort involved in the mitigations.
Unsurprisingly, when you sort the list of vulnerabilities by the number of exploits, medium, low and information severity vulnerabilities bubble quickly to the top of the list.
Brian Chappell is Director of Technical Services (EMEAI and APAC) at Beyond Trust